Device-code → PRT pivot (Entra) TL;DR: Device-code phish → refresh token → device registration → Primary Refresh Token + WHfB key for silent SSO across every M365 app. Stub — to be filled in. What it is TODO Preconditions / where it applies TODO Technique TODO Detection and defence TODO References https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/