EvilTokens Microsoft 365 Device Code Phishing

How EvilTokens Microsoft 365 Device Code Phishing Works

Overview: EvilTokens is a sophisticated phishing scam targeting Indian businesses and individual professionals who use Microsoft 365 services. The scam exploits device code authentication, enabling criminals to hijack email accounts even after multi-factor authentication (MFA) is used. This is particularly dangerous as attackers gain full control over inboxes, allowing them to launch business email compromise (BEC) scams and further fraud. Both IT workers and non-technical staff are being targeted across metros and growing tech hubs. How It Works: 1. Attackers purchase the EvilTokens kit, which automates phishing attacks using device code authorization. 2. Victims are lured through fake emails, SMS, or WhatsApp messages urging them to verify or update their Microsoft 365 account for 'security reasons' or new policy compliance. 3. Clicking the provided link redirects the target to a convincing fake Microsoft login page. 4. The page instructs the victim to enter their credentials and MFA device code, which is immediately captured by the scammer. 5. Attackers gain access to the victim's email, bypassing MFA security, and use the account for internal scams or resell the credentials on the dark web. India Angle: Scammers adapt the lure for Indian organisations, using regional branding (like Indian company logos) and sending messages in English, Hindi, and local languages. The attacks are common in cities with growing tech industries such as Bengaluru, Hyderabad, Mumbai, and Delhi. Platforms like WhatsApp and popular Indian email providers are often used as entry points. Real Examples: - Email: "Your Microsoft 365 account will be suspended. Please verify your login to continue services." - SMS: "Action Required: Confirm your Office 365 device access with your secure code here (suspicious link)." - WhatsApp: "Admin: New office policy on logins, click below to reset your Microsoft password." Red Flags: 1. Messages with urgent warnings about account suspension. 2. Links that look similar to Microsoft URLs but aren't official (.microsoft.com). 3. Requests to enter both password and a device/MFA code in a single step. 4. Poor grammar or slightly altered sender addresses. 5. Unusual login prompts via WhatsApp or SMS. Protective Measures: - Only log in to Microsoft 365 accounts on official portals ending with .microsoft.com or .live.com. - Never share authentication codes or passwords via email, SMS, or messaging apps. - Enable hardware-based MFA where possible. - Regularly monitor account activity for unusual logins and immediately change your password if suspected. - Inform your IT/security team and colleagues to build awareness within your organisation. If Victimised: - Do not panic. Immediately change your Microsoft 365 password from another secured device. - Inform your organisation’s IT/security team about the breach. - File a complaint via the cybercrime.gov.in portal and call the national cyber fraud helpline 1930. - If money is lost, alert your bank and the RBI as soon as possible. Related Scams: - Business Email Compromise (BEC) using hijacked Microsoft accounts. - Phishing attacks targeting bank credentials via convincing login pages. - WhatsApp-based verification code scams.

Visual Intelligence:

BharatSecure's AI has identified this as a used in scams targeting Indian users.

Who Does EvilTokens Microsoft 365 Device Code Phishing Target?

General public across India

Red Flags — How to Identify EvilTokens Microsoft 365 Device Code Phishing

• Urgent messages about Microsoft 365 account suspension
• Suspicious links not ending with .microsoft.com
• Requests for both password and device/MFA code
• Generic or slightly-off sender email addresses
• Login prompts arriving via WhatsApp or SMS

What To Do If You Encounter EvilTokens Microsoft 365 Device Code Phishing

1. Do not click any links or share personal information
2. Block and report the sender immediately
3. Report at cybercrime.gov.in or call 1930
4. Inform your bank if financial details were shared

How to Report EvilTokens Microsoft 365 Device Code Phishing in India

• Call 1930 — National Cyber Crime Helpline (24x7)
• File a complaint at cybercrime.gov.in
• Contact your bank immediately if money was lost
• Call RBI helpline: 14440 for banking fraud

Frequently Asked Questions

What is EvilTokens Microsoft 365 Device Code Phishing?

Overview: EvilTokens is a sophisticated phishing scam targeting Indian businesses and individual professionals who use Microsoft 365 services. The scam exploits device code authentication, enabling criminals to hijack email accounts even after multi-factor authentication (MFA) is used. This is particularly dangerous as attackers gain full control over inboxes, allowing them to launch business email compromise (BEC) scams and further fraud. Both IT workers and non-technical staff are being targe

How does EvilTokens Microsoft 365 Device Code Phishing work?

Overview: EvilTokens is a sophisticated phishing scam targeting Indian businesses and individual professionals who use Microsoft 365 services. The scam exploits device code authentication, enabling criminals to hijack email accounts even after multi-factor authentication (MFA) is used. This is particularly dangerous as attackers gain full control over inboxes, allowing them to launch business ema

How to protect yourself from EvilTokens Microsoft 365 Device Code Phishing?

Do not click any links or share personal information Block and report the sender immediately Report at cybercrime.gov.in or call 1930 Inform your bank if financial details were shared

How to report EvilTokens Microsoft 365 Device Code Phishing in India?

Report to cybercrime.gov.in or call 1930 (National Cyber Crime Helpline). You can also contact your local police station's cyber cell.

Verify Any Suspicious Message

Check any suspicious message, link, or call for free at bharatsecure.app. BharatSecure uses AI to detect scams in real-time and protect Indian users.