Consent grant phishing - Application permission abuse - Device code phishing - Token theft and replay - PRT (Primary Refresh Token) abuse