EvilTokens Device Code Phishing Scam

How EvilTokens Device Code Phishing Scam Works

Overview: The EvilTokens Device Code Phishing Scam is a sophisticated form of cyber fraud targeting Indian organizations and individual users. Attackers leverage advanced phishing kits sold on the dark web and Telegram, specifically designed to steal Microsoft 365 login credentials. Victims are often professionals, students, or employees at businesses who are prompted to verify their account or device, making this scam highly dangerous since it can lead to business email compromise (BEC), identity theft, and financial losses. How It Works: Scammers send fake notifications (via email, SMS, or WhatsApp) claiming an urgent need to verify your Microsoft account or device. The message includes a link that leads to a lifelike Microsoft login page hosted on a non-Microsoft domain (sometimes on providers like Railway or Cloudflare). On this phony site, victims are instructed to enter a device code, which is then captured by scammers. Using this code, the attackers generate OAuth tokens that let them remotely access the victim's email, contacts, and sensitive data without knowing their password—and often without being blocked by multi-factor authentication (MFA), thanks to the kit's advanced features. The stolen account access is then resold on underground markets or used directly for further fraud. India Angle: Indian organizations—especially IT, finance, and healthcare sectors—have recently become major targets. Users of Microsoft 365 in companies across Mumbai, Bengaluru, Hyderabad, and Delhi face the highest risk. Because WhatsApp and SMS are widely used for business communications in India, scammers frequently use these channels for initial contact. The scam's design adapts easily to Indian corporate environments, universities, and private users alike. Real Examples: - An employee at a Delhi-based company receives an SMS: "Your Microsoft account needs device verification. Click here: http://ms-verify-device.cloudsite.in" - An HR manager gets a WhatsApp: "Unusual sign-in detected on your Microsoft account. Enter the code sent to your email at http://securemicrosoft-login.com" Red Flags: - Messages urgently asking you to verify a device or login - Prompts to enter a code on a site that isn’t microsoft.com - Webpages with subtle mistakes (misspellings, odd URLs, logo distortions) - Redirects that pass through Cloudflare or Railway unfamiliar URLs - Demos or screenshots posted in Telegram scammer channels Protective Measures: - Always check website URLs before logging in—never enter codes on unfamiliar sites - Use a hardware security key (like YubiKey) for multi-factor authentication - Never click on suspicious links from messages or emails, especially about device verification - Educate teams and family about device code phishing - Report suspicious messages to your organization’s IT department If Victimised: - Immediately change your password and revoke app access in your Microsoft account - Inform your employer’s IT security team or administrator - Report the incident to cyber police via 1930 or at cybercrime.gov.in - If business-related, alert the RBI if financial data was compromised Related Scams: - Fake KYC update notifications with malware links - WhatsApp OTP code phishing attacks - SIM swap frauds targeting UPI accounts

Visual Intelligence:

BharatSecure's AI has identified this as a used in scams targeting Indian users.

Who Does EvilTokens Device Code Phishing Scam Target?

General public across India

Red Flags — How to Identify EvilTokens Device Code Phishing Scam

• Urgent requests to verify device/login via unknown links
• Device code entry on non-Microsoft domains
• Sites redirecting through Cloudflare or Railway
• Imitations of Microsoft branding with small errors
• Messages received through WhatsApp/SMS instead of official channels

What To Do If You Encounter EvilTokens Device Code Phishing Scam

1. Do not click any links or share personal information
2. Block and report the sender immediately
3. Report at cybercrime.gov.in or call 1930
4. Inform your bank if financial details were shared

How to Report EvilTokens Device Code Phishing Scam in India

• Call 1930 — National Cyber Crime Helpline (24x7)
• File a complaint at cybercrime.gov.in
• Contact your bank immediately if money was lost
• Call RBI helpline: 14440 for banking fraud

Frequently Asked Questions

What is EvilTokens Device Code Phishing Scam?

Overview: The EvilTokens Device Code Phishing Scam is a sophisticated form of cyber fraud targeting Indian organizations and individual users. Attackers leverage advanced phishing kits sold on the dark web and Telegram, specifically designed to steal Microsoft 365 login credentials. Victims are often professionals, students, or employees at businesses who are prompted to verify their account or device, making this scam highly dangerous since it can lead to business email compromise (BEC), ident

How does EvilTokens Device Code Phishing Scam work?

Overview: The EvilTokens Device Code Phishing Scam is a sophisticated form of cyber fraud targeting Indian organizations and individual users. Attackers leverage advanced phishing kits sold on the dark web and Telegram, specifically designed to steal Microsoft 365 login credentials. Victims are often professionals, students, or employees at businesses who are prompted to verify their account or d

How to protect yourself from EvilTokens Device Code Phishing Scam?

Do not click any links or share personal information Block and report the sender immediately Report at cybercrime.gov.in or call 1930 Inform your bank if financial details were shared

How to report EvilTokens Device Code Phishing Scam in India?

Report to cybercrime.gov.in or call 1930 (National Cyber Crime Helpline). You can also contact your local police station's cyber cell.

Verify Any Suspicious Message

Check any suspicious message, link, or call for free at bharatsecure.app. BharatSecure uses AI to detect scams in real-time and protect Indian users.