The evil site usually says something like "enter the code from our identity partner x" or something, which is a lot more believable when it's a service like Microsoft that does provide services like that.

▲

gethly 9 days ago | parent [-]

That is not how oAuth works.

▲

ascorbic 9 days ago | parent [-]

That's the point: this isn't OAuth. It's just a way to phish the code.

	▲	gethly 8 days ago \| parent [-]
		If it is not oAuth, where does Microsoft come from then?