They don’t have an authentication code; just an identification code. You log in elsewhere and put in the code so Microsoft knows which device you actually want to log in on. Think e.g. logging into most streaming services on a Smart TV - get the code and take it to your phone, where you actually log in.
How is this new? Evilginx has been around for years.
This requires all authentication codes to be sent to the attacker in the first place. Why wouldn't they just put the code in themselves at that point?
They don’t have an authentication code; just an identification code. You log in elsewhere and put in the code so Microsoft knows which device you actually want to log in on. Think e.g. logging into most streaming services on a Smart TV - get the code and take it to your phone, where you actually log in.