Why it matters: Bleepingcomputer reports that Cybercriminals have discovered a way to abuse Microsoft’s 365 Admin Portal to send sextortion emails that bypass spam filters, exploiting a legitimate Microsoft email address to reach victims’ inboxes directly.
The Exploit: The scammers leverage the Message Center’s “Share” feature, manipulating the “Personal Message” field to send extortion demands. According to Neowin, using browser developer tools, they bypass character limits to send lengthy threatening messages demanding Bitcoin payments.
- Messages appear legitimate
- Bypass standard security
Technical Vulnerability: The scam succeeds through a basic security oversight – Microsoft‘s failure to implement server-side checks on message length. By modifying HTML elements in their browser, scammers can exceed the intended 1,000-character limit, allowing full extortion messages to be sent through the system.
Microsoft’s Response: The company acknowledges the issue and says it is investigating, but has yet to implement server-side checks to prevent the abuse. “We take security and privacy very seriously,” Microsoft stated, promising action to protect customers.
Impact and History: Sextortion scams have proven highly profitable since their emergence in 2018 when they reportedly generated over $50,000 weekly. While many users now recognize these scams, the abuse of legitimate Microsoft channels makes these new variants particularly concerning for those unfamiliar with such threats.