What to do if I shared my token information in a phishing scam?

Immediately change your Microsoft account password and report the incident at cybercrime.gov.in or call 1930.

How can I identify if an email is a phishing attempt?

Look for misspellings in the email address or urgent prompts to verify your account; official emails won't pressure you to act quickly.

How do I report this type of scam in India?

You can report phishing scams by calling 1930, visiting cybercrime.gov.in, or contacting your bank's customer service.

What steps can I take to secure my account after a scam?

Change your password, enable multi-factor authentication and monitor your account activity for any suspicious transactions.

Microsoft 365 Token Theft via Phishing Kits

INDIA — By BharatSecure Threat Intelligence Team · Updated May 29, 2026

Verdict: Suspicious | Risk Score: 9/10 | Severity: critical

Category: UPI, WhatsApp, Phishing

How Microsoft 365 Token Theft via Phishing Kits Works

Overview: In this scam, cybercriminals target Indian professionals and businesses using sophisticated phishing kits designed to steal Microsoft 365 OAuth tokens. These tokens allow attackers to bypass even multi-factor authentication and gain ongoing access to cloud email, files, and apps. The scam has been on the rise as ready-made 'phishing-as-a-service' kits are increasingly available on dark web and Telegram, making it easy for less-skilled criminals to execute these attacks. This scam endangers confidential business data and personal accounts, leading to potential data leaks, reputational damage, and financial harm. How It Works: Attackers send emails or messages that appear legitimate, often mimicking Microsoft 365 support or security alerts. Victims are directed to a website that looks exactly like an official Microsoft login page. Here, instead of just asking for passwords, the page prompts users to approve permissions or sign in via a device code or OAuth. Once entered, the phishing kit intercepts the session token, granting attackers long-term access to cloud data and apps—sometimes even after passwords are changed. India Angle: In India, this scam is spreading through WhatsApp shares, phishing emails mimicking Indian organizations, and fake SMS alerts. All regions and metropolitan cities with a large corporate workforce are at risk. The scam especially targets professionals, startups, and small businesses using Microsoft 365. Attackers use templates featuring Indian brands and social engineering in English and Hindi to increase trust. Real Examples: 1) A Bengaluru IT employee receives an email: "Action Required: Verify your Microsoft 365 account for compliance. Click to proceed." 2) A Chennai startup founder gets a WhatsApp link from a 'colleague' urging urgent login to access a shared document. 3) A Mumbai business gets a fake SMS: "Security alert: Unusual login. Verify at ms365auth.support/in." Red Flags: - Messages containing urgent security alerts or device verification links - Login pages that ask for unusual permissions or repeated authentication - Links that redirect to domains slightly different from actual Microsoft URLs - Login requests received via WhatsApp, SMS, or unofficial channels - Requests to approve OAuth permissions you don't recognise Protective Measures: - Always check URLs before entering Microsoft credentials—use bookmarks or type the URL directly - Enable advanced Microsoft security features like conditional access and token revocation - Educate team members about OAuth consent phishing - Don’t click on account or device verification links from unsolicited messages - Use official Microsoft mobile or desktop apps when possible If Victimised: - Immediately revoke OAuth permissions in your Microsoft 365 account - Change account passwords without delay - Alert your IT administrator and review account activity for suspicious sign-ins or token usage - Report the incident to Cyber Crime Helpline 1930 and cybercrime.gov.in Related Scams: - Reverse-proxy phishing for Google or Facebook login - UPI frauds using account reset links - Cloud storage (OneDrive/SharePoint) sharing lures

How This Scam Works — Detailed Explanation

Cybercriminals are increasingly targeting Indian professionals and businesses by exploiting sophisticated phishing kits specifically designed to steal Microsoft 365 OAuth tokens. In India, services such as UPI and Aadhaar, widely used for transactions and identity verification, have become lucrative targets. Scammers often utilize dark web platforms and Telegram to market these 'phishing-as-a-service' kits, greatly lowering the barrier for entry for less-skilled criminals looking to launch these attacks. By reaching out to potential victims through urgent emails or impersonating trusted sources, scammers can entice their targets into their traps.

These attackers use a variety of psychological tactics to manipulate victims into revealing sensitive information. For instance, they might send an email claiming to be from Microsoft, alerting users of suspicious activity on their accounts, thus instilling a sense of urgency. This creates a pressure cooker environment—victims are prompted to act quickly and often overlook red flags. Other tactics involve directing victims to counterfeit Microsoft login pages disguised as official domains, further enhancing the deception. With popular communication platforms in India like WhatsApp, scammers often follow up with SMS or instant messages, reinforcing legitimacy, which traps victims into a cycle of fear and urgency.

Once victims unknowingly enter their credentials into these fraudulent sites, the scammers capture their Microsoft 365 OAuth tokens. This access allows them to bypass even multi-factor authentication, tapping into cloud email, files, and apps to orchestrate further scams or even conduct financial fraud. For example, a victim could lose access to their business email, resulting in loss of critical business communication or being baited into fraudulent transaction requests using legitimate approval protocols. Reports have shown that scams like these have resulted in countless individual cases of financial loss and emotional distress.

The real-world impact of Microsoft 365 token theft scams in India is staggering. According to the Ministry of Home Affairs, there have been reports indicating that cybercrimes have caused a loss exceeding ₹20,000 crore over the last few years. The Reserve Bank of India has also issued specific guidelines warning users against phishing attempts involving credentials, emphasizing the importance of securing online identities. CERT-In advisories point to a rise in attacks targeting various sectors, particularly IT and finance, leading to increased anxiety among professionals who rely on digital tools for their operations.

To differentiate this scam from legitimate communications, stay vigilant. Legitimate emails from Microsoft regarding security will come from official domains, while phishing emails often have slight misspellings or unusual domain names. Be wary of urgent requests to verify your account through device codes or unfamiliar login permission requests. If you receive a message that prompts you to sign in to your Microsoft account or provide personal data through suspicious-looking sites, it’s a classic red flag. Always, verify with official sources or reach out to customer support before taking any action that could compromise your data.

Visual Intelligence:

BharatSecure's AI has identified this as a used in scams targeting Indian users.

Who Does Microsoft 365 Token Theft via Phishing Kits Target?

General public across India

Red Flags — How to Identify Microsoft 365 Token Theft via Phishing Kits

Urgent emails about device code verification
Microsoft login pages on non-official domains
Login consent requests for unfamiliar permissions
Account alerts from SMS or WhatsApp
Requests to sign in again on suspicious-looking sites

What To Do If You Encounter Microsoft 365 Token Theft via Phishing Kits

Report the incident immediately at 1930 or visit cybercrime.gov.in for assistance.
Contact your bank's fraud prevention helpline such as SBI at 1800-11-1109 or HDFC at 1800-202-6161.
Change your Microsoft 365 account password to a strong, unique one.
Enable multi-factor authentication on your Microsoft account without delay.
Monitor your bank statements for any unauthorized transactions and act promptly.
Educate your team members about phishing threats and preventive best practices.

How to Report Microsoft 365 Token Theft via Phishing Kits in India

Call 1930 — National Cyber Crime Helpline (24x7)
File a complaint at cybercrime.gov.in
Contact your bank immediately if money was lost
Call RBI helpline: 14440 for banking fraud

Frequently Asked Questions

What to do if I shared my token information in a phishing scam?: Immediately change your Microsoft account password and report the incident at cybercrime.gov.in or call 1930.
How can I identify if an email is a phishing attempt?: Look for misspellings in the email address or urgent prompts to verify your account; official emails won't pressure you to act quickly.
How do I report this type of scam in India?: You can report phishing scams by calling 1930, visiting cybercrime.gov.in, or contacting your bank's customer service.
What steps can I take to secure my account after a scam?: Change your password, enable multi-factor authentication and monitor your account activity for any suspicious transactions.

Related Scams in India

Verify Any Suspicious Message

Check any suspicious message, link, or call for free at bharatsecure.app. BharatSecure uses AI to detect scams in real-time and protect Indian users.