Bluewall 
EvilTokens; new PhaaS actively targeting Microsoft 365 via Device Code Flow abuse.
The attack abuses the legitimate OAuth Device Authorization Grant. The attacker sends you a code, you enter it on the REAL microsoft.com/devicelogin page and they get your tokens. MFA bypassed. Password reset won't revoke access.
Check if the flow is used in your tenant:
Entra Sign-in logs → filter "Authentication Protocol: Device code" → Last 30 days → check all 4 tabs.
All empty? You can block safely.
Block it:
Conditional Access → New policy → All users → All resources → Conditions: Authentication flows > Device code flow → Grant: Block access → ON.
Takes 5 minutes. Do it now.