Microsoft 365 Token Theft via Phishing Kits — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 29, 2026

Severity: CRITICAL | View Full Scam Details

Microsoft 365 Token Theft Scam in India 2026: Beware of Phishing Kits Targeting Your UPI and WhatsApp

A growing wave of cyber fraud in India involves phishing kits stealing Microsoft 365 access tokens, putting your UPI payments and WhatsApp data at critical risk in 2026.

What Is the Microsoft 365 Token Theft via Phishing Kits?

This scam involves fraudsters using phishing kits designed to hijack Microsoft 365 authentication tokens from unsuspecting users. These tokens grant access without needing to repeatedly enter passwords, so once stolen, scammers can silently access emails, files, and linked accounts. In India, cybercriminals allegedly target users of Microsoft 365—widely used by students, businesses, and professionals—through social engineering techniques involving WhatsApp messages and fraudulent links.

The stolen access tokens enable fraudsters to impersonate victims and carry out unauthorized fund transfers via UPI apps connected to Microsoft accounts or exploit contact lists on WhatsApp for further phishing attempts. According to public complaints reported to cybercrime cells and alerts from CERT-In, such token theft scams are increasingly common in metropolitan cities and tier-2 towns, often triggered by phishing links that resemble official Microsoft login portals.

While RBI has not issued a direct alert specifically on token theft, its broad warnings on UPI fraud and digital payments remind users to always verify links and avoid sharing OTPs or login credentials. CERT-In and I4C also emphasize awareness of phishing attacks exploiting popular apps like WhatsApp and Microsoft 365.

How This Scam Works — Step by Step

1. Initial Contact: The victim receives a WhatsApp message or SMS claiming to be from Microsoft or a trusted service, warning about account issues or offering urgent security updates.

2. Fake Link Delivered: The message contains a URL disguised as an official Microsoft login page. Clicking this link directs the user to a phishing kit designed to capture login details and authentication tokens.

3. Credential Entry & Token Capture: When the user enters their Microsoft 365 email and password, the phishing kit secretly captures the session token generated during login.

4. Account Hijacking: Using the stolen token, scammers gain access to the victim’s Microsoft 365 account without needing the password again.

5. UPI and WhatsApp Exploitation: Fraudsters use the account access to find linked UPI payment details, Aadhaar-linked documents, or tap into WhatsApp contacts to spread more phishing messages.

6. Unauthorized Transactions: Through the compromised data, they initiate UPI money transfers to fraudulent accounts or use social engineering over WhatsApp to trick victim’s contacts into transferring money.

Real Warning Signs to Watch For

• Unexpected urgent messages on WhatsApp or SMS claiming account suspension or security alerts.
• URLs that look almost identical to microsoft.com but have misspellings or unfamiliar domains (e.g., microsofft.co.in).
• Requests to enter login details through links instead of using official Microsoft apps or websites.
• Asking for OTPs or verification codes unrelated to regular login flows.
• Receiving messages from unknown contacts pushing immediate action or the threat of account closure.
• Multiple login alerts or device notifications for Microsoft 365 that the user did not initiate.
• UPI payment confirmation requests that you didn’t authorize or prompts to verify bank details via external links.

What Happens to Victims

Victims often face financial loss through unauthorized UPI transactions, sometimes of large sums in INR. Since UPI payments are instant and hard to reverse, recovering money proves difficult. Victims also report emotional distress caused by loss of personal data, emails, and contacts. Aadhaar-linked information accessed via compromised Microsoft accounts increases the risk of identity theft and further scams.

SIM swap fraud sometimes accompanies this theft, as fraudsters use stolen tokens to convince mobile providers to switch the victim’s phone number, thereby intercepting OTPs to other services. This amplifies the damage by giving scammers control over multiple digital assets. Victims often experience reputational harm when their WhatsApp contacts are targeted next, eroding trust among family and colleagues.

What RBI and CERT-In Say

The Reserve Bank of India (RBI) routinely cautions users to stay alert against phishing and impersonation scams that exploit UPI and mobile banking credentials. RBI advises never to share OTPs, login passwords, or confidential data via SMS or WhatsApp.

CERT-In, whose role includes issuing cybersecurity alerts, listed phishing kits and token theft as emerging threats during 2025–26, urging users to validate website URLs and enable multi-factor authentication for online accounts. The Indian Cyber Crime Coordination Centre (I4C) runs the 1930 cybercrime helpline where victims can report suspicious activity.

For suspected fraud, the government’s cybercrime portal (cybercrime.gov.in) allows filing complaints, ensuring assistance from authorities trained to handle digital crime cases.

How to Protect Yourself

1. Always verify links before clicking, either by typing official URLs (like microsoft.com) directly into your browser or using official apps.
2. Enable multi-factor authentication (MFA) on your Microsoft 365 account to prevent token misuse.
3. Never share OTPs, passwords, or security codes received via SMS or WhatsApp with anyone.
4. Check for HTTPS and valid domain names carefully when prompted to enter credentials.
5. Install the latest software updates on your devices to patch security vulnerabilities.
6. Use strong, unique passwords that are not reused across apps, especially for email and payment accounts.
7. Regularly review login activity and connected apps in Microsoft 365 settings and notify your IT administrator or service provider immediately if anything looks suspicious.

What to Do If You’ve Been Targeted

1. Immediately change your Microsoft 365 password and reset passwords linked to your email or payment apps.
2. Contact your bank to block or freeze UPI-linked accounts and request transaction reversal, if any unauthorized transactions occurred.
3. Report the incident on cybercrime.gov.in and call the 1930 cybercrime helpline for guidance and complaint registration.
4. Inform your mobile service provider if you suspect SIM swap fraud for additional mobile security.
5. Alert close contacts on WhatsApp or email about the incident to prevent further phishing from your account.
6. Keep evidence like phishing messages, screenshots, and transaction details ready for investigation by authorities.

Frequently Asked Questions

Q: How does a Microsoft 365 token help scammers steal money?
A: The token acts like an unlocked key that lets scammers access your Microsoft account without needing your password each time. With full access, they can find payment details, email contacts, or other linked apps to commit fraud such as unauthorized UPI transfers or spreading phishing messages.

Q: Can I recover money lost through UPI transactions done via this fraud?
A: UPI payments are instant and usually irreversible. However, you should immediately report unauthorized transactions to your bank and file a complaint with cybercrime authorities. Banks sometimes assist in recovery if fraud is promptly reported.

Q: Why does WhatsApp play a role in this scam?
A: WhatsApp is widely used in India for communication. Scammers use stolen Microsoft 365 access to harvest contact lists and send phishing links via WhatsApp, increasing their reach and tricking more users into sharing credentials or making payments.

If you receive suspicious messages or calls, don't react impulsively. Verify all such claims at BharatSecure.app and report fraud promptly to the 1930 cybercrime helpline.

Disclaimer: This article describes a pattern of fraud reported in public sources for public-safety awareness. It is not legal, financial, or medical advice. To request correction or removal of any content, write to hello@bharatsecure.app.