Device code phishing attacks have exploded across the threat landscape, with new toolkits emerging weekly. This surge coincides with publicly released criminal toolkits and multiple phishing-as-a-service offerings like EvilTokens and Tycoon. Threat actors abuse the OAuth 2.0 device authorization grant flow to compromise Microsoft 365 and other enterprise accounts by tricking users into authorizing malicious applications. Current implementations use on-demand code generation, addressing the 15-minute expiration limitation of previous techniques. Most activity appears to be generated using AI-based coding techniques. Successful attacks lead to full account takeover, data theft, business email compromise, and potential ransomware deployment. The technique represents the natural evolution of credential phishing as organizations improve their defenses against traditional multifactor authentication bypass methods.