EvilTokens Device Code Fraud Scheme

How EvilTokens Device Code Fraud Scheme Works

Overview: The EvilTokens Device Code Fraud Scheme is a sophisticated phishing-as-a-service operation targeting Indian individuals and enterprises, using fake device code verifications to steal login details and bypass two-factor authentication (2FA). The scam is particularly dangerous because it can hijack not only passwords but also multi-factor authentication tokens—allowing attackers to access sensitive work emails, confidential documents, and corporate resources. With tokens in hand, fraudsters can maintain ongoing access or sell these digital keys on underground markets, facilitating ransomware or data leaks. How It Works: 1. Victims receive an email or SMS pretending to be from Microsoft, Outlook, or Teams, urging them to use a device code for 'secure login' or to resolve account issues. 2. The message links to a fake site, often hosted on obscure cloud platforms, asking users to enter the code and their actual credentials. 3. Attackers capture this information, immediately generating valid OAuth tokens that grant access even if the victim has 2FA enabled. 4. The victim may be redirected through several proxy websites, creating a sense of legitimacy, before the process completes. 5. Stolen credentials and tokens are bundled and sold to cybercriminals, leading to business email compromise or wide-scale fraud. India Angle: This scam is highly prevalent in Indian offices, education institutions, and among professionals using Microsoft 365 for work or study. Major cities such as Bengaluru, Hyderabad, and Pune—India's tech hubs—are most targeted. The message often mimics local Microsoft support styles, exploiting the high rate of email-based communication in Indian workplaces. Real Examples: - "Your account is under review. For security, please use this device code: 7F4X9Q2. Secure now: [URL]" - "Teams login interrupted. Enter your device code at the following link: [Phishing URL]" - Email with a generic sender (e.g., [UPI_REDACTED]-mail.com) carrying urgent language and fake device codes. Red Flags: 1. Device code requests received via email or SMS, especially when not actively signing in anywhere. 2. Links that redirect more than once or open pages with unfamiliar branding. 3. Domain names that do not exactly match Microsoft’s official websites. 4. Requests for credentials alongside supposed device code input. Protective Measures: - Never enter device codes or passwords on links received via unsolicited messages. - Check every URL carefully—official Microsoft domains should end in ".microsoft.com". - Use official Microsoft Authenticator or company-verified login portals. - Enable additional app-based security and regularly review login alerts. If Victimised: - Change your password using the official Microsoft login page immediately. - Notify your IT department if this involves your work account. - File a complaint at cybercrime.gov.in and call helpline 1930. - Closely monitor your accounts for any suspicious activity. Related Scams: - Business email compromise using fake login notifications. - Ransomware attacks after token theft. - Gift card scams exploiting compromised emails.

Visual Intelligence:

BharatSecure's AI has identified this as a used in scams targeting Indian users.

Who Does EvilTokens Device Code Fraud Scheme Target?

General public across India

Red Flags — How to Identify EvilTokens Device Code Fraud Scheme

• Unexpected device code or login approval requests
• Emails or SMS with links not hosted on official Microsoft domains
• Multiple redirections before login page appears
• Requests to enter both a device code and your password

What To Do If You Encounter EvilTokens Device Code Fraud Scheme

1. Do not click any links or share personal information
2. Block and report the sender immediately
3. Report at cybercrime.gov.in or call 1930
4. Inform your bank if financial details were shared

How to Report EvilTokens Device Code Fraud Scheme in India

• Call 1930 — National Cyber Crime Helpline (24x7)
• File a complaint at cybercrime.gov.in
• Contact your bank immediately if money was lost
• Call RBI helpline: 14440 for banking fraud

Frequently Asked Questions

What is EvilTokens Device Code Fraud Scheme?

Overview: The EvilTokens Device Code Fraud Scheme is a sophisticated phishing-as-a-service operation targeting Indian individuals and enterprises, using fake device code verifications to steal login details and bypass two-factor authentication (2FA). The scam is particularly dangerous because it can hijack not only passwords but also multi-factor authentication tokens—allowing attackers to access sensitive work emails, confidential documents, and corporate resources. With tokens in hand, fraudst

How does EvilTokens Device Code Fraud Scheme work?

Overview: The EvilTokens Device Code Fraud Scheme is a sophisticated phishing-as-a-service operation targeting Indian individuals and enterprises, using fake device code verifications to steal login details and bypass two-factor authentication (2FA). The scam is particularly dangerous because it can hijack not only passwords but also multi-factor authentication tokens—allowing attackers to access

How to protect yourself from EvilTokens Device Code Fraud Scheme?

Do not click any links or share personal information Block and report the sender immediately Report at cybercrime.gov.in or call 1930 Inform your bank if financial details were shared

How to report EvilTokens Device Code Fraud Scheme in India?

Report to cybercrime.gov.in or call 1930 (National Cyber Crime Helpline). You can also contact your local police station's cyber cell.

Verify Any Suspicious Message

Check any suspicious message, link, or call for free at bharatsecure.app. BharatSecure uses AI to detect scams in real-time and protect Indian users.