Authorities in India Disrupt Cybercrime Ring Impersonating Microsoft Tech Support

On May 28, 2025, the Central Bureau of Investigation (CBI), India’s premier federal law enforcement agency, carried out a carefully coordinated operation targeting a sprawling cyber-enabled financial fraud network.

Raids at 19 locations across India dismantled a sophisticated operation that impersonated Microsoft technical support and primarily targeted older adults in Japan.

The takedown resulted in the arrest of six key operatives, the shuttering of two illegal call centers, and the seizure of critical technical infrastructure, including computers, storage devices, digital video recorders, and phones.

This operation was the result of close cooperation between multiple international stakeholders: India’s CBI, Japan’s National Police Agency (NPA), the Japan Cybercrime Control Center (JC3), and Microsoft’s Digital Crimes Unit (DCU).

The collaboration highlights a new evolution in countering organized cybercrime, one that targets not just individual actors or call centers, but the entire technical and logistical ecosystem supporting such networks.

Technical Infrastructure and Tactics: How the Fraud Worked

The criminal enterprise operated a complex, multi-layered system designed to exploit victims via a combination of social engineering and technical manipulation.

Their approach began with the deployment of malicious pop-ups, often generated using generative artificial intelligence tools to simulate urgent warnings typically mimicking Microsoft Windows Defender or other branded security alerts.

These pop-ups, written mostly in Japanese, urged victims to call a fake support number or click on a fraudulent link.

Example: Malicious Pop-up Code Snippet

A typical phishing pop-up used in such campaigns might have been crafted using JavaScript as follows:

javascriptvar fakeAlert = window.open("", "Microsoft Security Alert", "width=400,height=300");
fakeAlert.document.write(
  '<html><head><style>body{font-family:Arial, sans-serif;background:#f0f0f0;padding:20px;}</style><title>警告 - Microsoft Defender</title></head><body>' +
  '<div style="background:#fafafa;border:2px solid #ff0000;border-radius:10px;padding:20px;">' +
  '<h2 style="color:#ff0000;">警告: ウイルスが検出されました</h2>' +
  '<p>重要なセキュリティ警告です。あなたのコンピューターで有害なウイルスが検出されました。<br>' +
  '直ちにサポートセンターへお電話ください。<br><strong>番号: 0120-XXX-XXX</strong></p>' +
  '<button style="background:#0078d7;color:white;padding:10px 15px;border:none;cursor:pointer;" onclick="window.close()">閉じる</button>' +
  '</div></body></html>'
);

This script, when run on a compromised website, creates an official-looking pop-up warning in Japanese, instructing users to call a fake support number.

Infrastructure and Automation

The network behind this scheme was highly compartmentalized, with different groups responsible for specific aspects of the operation:

• Pop-up Creators: Used generative AI to rapidly prototype and deploy new pop-ups in multiple languages.
• Search Engine Optimizers: Ensured malicious sites appeared prominently in search results for terms like “Microsoft support number.”
• Lead Generators and Call Centers: Used lists of potential victims, sometimes scraped from public forums or purchased on underground markets.
• Technology and Logistics Providers: Supplied infrastructure, including call routing, VoIP systems, and digital devices for call center operatives.
• Payment Processors: Managed the laundering of proceeds using cryptocurrency and other anonymized payment methods.
• Talent Providers: Sourced multilingual speakers to handle calls and automate language translation.

Global Collaboration and Technical Response

The Microsoft DCU, in collaboration with JC3, provided critical intelligence that enabled the identification and disruption of the network. JC3 supplied actionable indicators for malicious pop-ups and call centers, which were integrated into Microsoft’s threat intelligence pipeline at the Microsoft Threat Intelligence Center (MSTIC). This allowed for proactive detection and takedown of malicious domains and URLs.

Since May 2024, Microsoft has taken down approximately 66,000 malicious domains and URLs globally using these indicators, integrating the intelligence into Microsoft security services to block future abuse.

Example: Identifying Malicious Indicators

Intelligence teams often identify malicious activity using indicators of compromise (IOCs) such as:

• IPv4/IPv6 addresses: Used to host fraudulent websites and call centers.
• Domain names: Fraudulent domains like support-microsoft.jp, microsoft-fix.com, etc.
• URL patterns: Used in redirects and pop-up scripts.

A sample YARA rule (used for pattern matching in threat intelligence) might look like:

textrule support_scam_popup
{
    strings:
        $popup_title = "警告: ウイルスが検出されました" nocase
        $support_number = "0120-XXX-XXX" wide ascii
        $microsoft = "Microsoft" wide ascii
    condition:
        all of them
}

This rule helps security analysts detect malicious pop-ups mimicking Microsoft security alerts in Japanese.

Evolving Threats and Ongoing Commitment

The evolution of cybercrime-as-a-service has enabled increasingly sophisticated fraud operations, with cybercriminals leveraging generative AI to automate victim identification, pop-up creation, and language translation. This has allowed the rapid targeting of new demographics, especially older adults who are less familiar with digital threats.

According to the FBI’s Internet Crime Complaint Center, tech support fraud was the top reported crime for Americans over 60 in 2023, with nearly $590 million in losses. In Japan, the Global Anti-Scam Alliance found that most scams target adults over 45, a trend consistent with this operation.

Microsoft’s DCU and its partners are committed to disrupting criminal networks from the top down, targeting the technical infrastructure and financial backbones of these operations.

With ongoing collaboration, advanced analytics, and artificial intelligence, law enforcement and private sector partners are better equipped to protect the most vulnerable from the evolving threat landscape.

Key Takeaways for the Public

• Microsoft will never send unsolicited messages or make unsolicited calls asking for personal or financial information.
• Report suspected tech support scams via Microsoft’s official reporting tool: microsoft.com/reportascam.
• Stay informed and cautious: Verify support requests through official channels before taking action.

The recent operation in India is a powerful example of how international collaboration and technical innovation are essential for meaningful cybercrime disruption.

As criminals continue to evolve their tactics, the global community must remain vigilant, adaptive, and united in its efforts to safeguard digital citizens worldwide.