The article by Matt Kiely examines the vulnerabilities associated with the OAuth 2.0 device code flow, particularly how it can be exploited for phishing attacks against Microsoft and Google. The device code flow is designed for authentication on devices without traditional input methods, like smart TVs or IoT devices. Users authenticate by entering a device code on a separate device with a full interface. While this feature solves a niche problem, it also opens the door for attackers who can manipulate the flow to gain unauthorized access. Kiely outlines a method of Device Code Phishing specific to Microsoft 365. Attackers can request a device code from Microsoft’s API without any authentication. They then craft a convincing email to trick victims into entering their device code, username, password, and MFA code on a legitimate-looking login page. The attacker monitors the API for successful authentication, at which point they can retrieve access tokens and gain control over the victim's resources. The article breaks down the technical steps an attacker would take, including the API requests using cURL. For instance, the initial request to obtain a device code is straightforward, requiring only the client ID and resource parameters. Once the victim unknowingly provides their credentials, the attacker can exploit the tokens generated to secure initial access to the victim's account, demonstrating the ease with which this type of phishing can occur.