A React-based phishing-as-a-service panel reportedly built for Microsoft 365 abuse points to a quieter threat: industrialized token handling, not just stolen passwords.