EvilTokens Microsoft 365 Device Code Phishing — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated Apr 30, 2026

Severity: CRITICAL | View Full Scam Details

Beware the EvilTokens Microsoft 365 Device Code Phishing Scam in India 2026

A dangerous new scam called EvilTokens Microsoft 365 Device Code Phishing is targeting Indian professionals via WhatsApp, risking theft of business and personal data with critical consequences.

What Is the EvilTokens Microsoft 365 Device Code Phishing?

EvilTokens Microsoft 365 Device Code Phishing is a sophisticated cyberattack focused on extracting Microsoft 365 login credentials from users in India. Microsoft 365 is widely used by small and medium businesses (SMBs), educational institutions, and government offices throughout the country. Attackers exploit this widespread dependency, especially among organizations with less stringent cybersecurity measures.

This scam primarily targets Indian professionals who rely on Microsoft 365 for emails, documents, and collaboration. Cybercriminals use WhatsApp, a platform with over 530 million users in India, as the main communication channel to reach their victims. By posing as Microsoft support agents, they claim urgent security issues affecting the victim’s account — like fake warnings about account suspension or unauthorized access. This social engineering tactic pressures victims into sharing sensitive device codes sent to their phones.

CERT-In (Indian Computer Emergency Response Team) and the Indian government’s Integrated Financial Crimes Enforcement (I4C) unit have issued timely alerts about phishing scams exploiting popular software platforms like Microsoft 365. With the rapid digital adoption in India, scams targeting online productivity tools are increasingly common and dangerous.

How This Scam Works — Step by Step

1. Initial Contact via WhatsApp: You might receive a message or missed call from an unknown number posing as a Microsoft support agent. The message usually appears urgent — it warns you about unusual login attempts or potential suspension of your Microsoft 365 account.

2. Building Trust: The scammer may share fake support credentials or official-looking graphics to appear legitimate. They might address you by name or mention your company to gain credibility.

3. Requesting the Device Code: When you try to log into Microsoft 365, a device code (also called a verification code) is automatically sent to your phone via SMS or the Microsoft Authenticator app. The scammer asks you to share this exact code, claiming it helps them “fix” your account.

4. Using the Device Code: Once they receive this code, scammers instantly use it to take over your account remotely, bypassing multi-factor authentication.

5. Data Theft and Financial Fraud: With control over your Microsoft 365 account, attackers access emails, contact lists, sensitive business files, and may impersonate you to defraud your clients or employees.

6. Rapid Spread: They then leverage your WhatsApp contacts to spread the scam further, manipulating your trusted network to recruit new victims.

Real Warning Signs to Watch For

• Urgent messages pressuring you to act immediately about account suspension or security issues.
• Requests to share device or verification codes received on your phone or authenticator apps.
• Contact from unknown WhatsApp numbers claiming to be Microsoft support.
• Poor grammar, spelling mistakes, or generic greetings instead of personalized messages.
• Unexpected messages referencing your company or projects without context.
• Unusual requests to install third-party apps or visit unverified links.
• Asking for remote access or to share OTPs intended for banking or UPI transactions.

What Happens to Victims

Victims often face severe financial and emotional damage. Once scammers control your Microsoft 365 account, they can access confidential business data, including client contracts, employee records, or financial reports. Cybercriminals may impersonate you or your company to authorize fraudulent payments, ask for UPI transfers, or manipulate vendors and customers.

Unlike UPI money transfers that can sometimes be reversed through your bank if reported quickly, access gained through Microsoft 365 phishing can result in irreversible data loss and reputational harm. Victims often suffer identity theft, sim swap frauds (which let scammers seize your mobile number), and Aadhaar data misuse for fake loan applications or tax evasion.

The stress and distrust following such incidents can disrupt business operations and personal lives, with many victims reporting difficulty in regaining control of their accounts or persuading partners about the fraud.

What RBI and CERT-In Say

The Reserve Bank of India (RBI) has repeatedly warned about phishing scams exploiting two-factor authentication (2FA) mechanisms. Their guidelines advise never sharing OTPs or verification codes with anyone, even if the request appears official. RBI’s cyber helpline and banking grievance mechanisms are designed to assist victims in minimizing losses.

CERT-In, India’s nodal agency for cybersecurity incidents, emphasizes reporting all suspected phishing attempts to their 1930 cybercrime helpline immediately. They recommend heightened awareness about scams linked to popular services like Microsoft 365 that many Indian businesses depend on.

The Integrated Financial Crimes Enforcement (I4C) unit also monitors such cases, especially when bank frauds or identity thefts accompany these scams.

How to Protect Yourself

1. Never share Microsoft 365 device codes or OTPs with anyone, including those claiming to be support agents.
2. Verify any urgent messages independently by contacting Microsoft customer support directly — do not trust WhatsApp messages.
3. Enable two-factor authentication (2FA) on all important accounts but always keep codes private.
4. Be skeptical of unsolicited WhatsApp calls or texts from unknown numbers.
5. Keep your phone’s software updated and use official Microsoft apps downloaded only from trusted sources.
6. Avoid clicking links or downloading attachments in suspicious WhatsApp messages.
7. Educate your colleagues and employees about this scam, as attackers often spread via contact lists.

What to Do If You’ve Been Targeted

• Immediately change your Microsoft 365 password from a secure device.
• Contact your company’s IT department or Microsoft support for account recovery.
• File a complaint with cybercrime.gov.in and call the CERT-In helpline at 1930 to report the incident.
• Inform your bank if you suspect linked financial fraud; ask about UPI transaction reversals or account freezes.
• Request your telecom provider to activate SIM lock or port freeze to prevent SIM swap fraud.
• Monitor your Aadhaar and PAN accounts for any unauthorized activity.
• Warn your contacts on WhatsApp about the scam to prevent further spread.

Frequently Asked Questions

Q: How do scammers get my Microsoft 365 device code?
A: They trick you by posing as Microsoft support and ask you to share the verification code sent to your phone during login. This “device code” bypasses two-factor authentication.

Q: Can my lost money through this scam be recovered?
A: Recovery depends on the mode of fraud. While UPI payments may sometimes be reversed if reported swiftly, data loss or identity theft caused by account takeover is harder to fix. Immediate action improves chances.

Q: Is Microsoft responsible for these phishing attacks?
A: No. Microsoft provides strong security tools, but phishing exploits human trust. Users must stay vigilant and follow security best practices to protect themselves.

If you receive suspicious messages about Microsoft 365 account issues on WhatsApp or elsewhere, do not share any codes. Always verify the message with official Microsoft support or at BharatSecure.app before taking any action. Stay informed, stay safe!