Microsoft 365 and Entra ID environments are the target of an active AI-augmented OAuth phishing campaign that has compromised accounts across at least 344 organizations in construction, law, healthcare, and government sectors. No CVE is assigned — the technique abuses legitimate OAuth 2.0 authorization flows to capture persistent refresh tokens that survive password resets. Immediate actions include auditing third-party OAuth application consents in Entra ID, revoking token grants for suspicious applications, and enforcing admin-consent requirements to eliminate the user-consent path attackers exploit.