Microsoft 365, Entra ID, Teams, and SharePoint are primary targets of a 37x-surge device code phishing campaign exploiting the legitimate OAuth 2.0 Device Authorization Grant flow to bypass MFA and harvest persistent tokens that survive password resets. No CVE is assigned and no vendor patch resolves the attack vector; mitigation requires Conditional Access policy enforcement to restrict or block device code authentication flows and proactive token revocation for any confirmed compromised accounts. Organizations should also extend detection to Okta, Adobe, DocuSign, and Citrix ShareFile environments, which are listed as secondary affected platforms in the same campaign.