Attackers are abusing Microsoft's legitimate Device Authorization Grant (OAuth 2.0 Device Code Flow) to conduct phishing attacks that bypass traditional URL-based anti-phishing defenses. By pre-fetching a device code from Microsoft's identity platform and tricking victims into entering it on the genuine login.microsoftonline.com page, attackers harvest access and refresh tokens that grant persistent access to the victim's Microsoft 365 account. Two campaign variants were observed: one using password-protected PDF attachments impersonating a law firm, and another targeting Brazilian users via open redirects on cacoo.com.