Cybersecurity researchers have identified a widespread phishing campaign targeting hundreds of Microsoft 365 organizations across five countries by exploiting OAuth device authorization flows. This sophisticated attack tricks users into entering legitimate device codes on authentic Microsoft login pages, allowing hackers to bypass multi-factor authentication and maintain access even after password resets. The operation utilizes a diverse range of lures, such as fake DocuSign notifications and construction bids, while leveraging Cloudflare Workers and Railway infrastructure to host malicious redirect chains. These attacks are linked to a new phishing-as-a-service platform called EvilTokens, which provides automated tools for credential harvesting and spam filter evasion. To remain undetected, the landing pages employ anti-analysis techniques that disable developer tools and block browser-based inspections. Experts recommend that organizations monitor sign-in logs for specific IP addresses and revoke OAuth refresh tokens to mitigate the threat.