OAuth device code phishing
Social engineering (salary and benefits lures)
Service spoofing (Microsoft OneDrive, LinkedIn, DocuSign)
Use of phishing kits (Squarephish2, Graphish)
Abuse of legitimate Microsoft authentication workflows
Use of Cloudflare Worker URLs for phishing infrastructure