Scammers Exploit Microsoft 365 to Send Sextortion Emails

Microsoft 365 Message Center exploited for sextortion scam, allowing criminals to send threatening emails through legitimate Microsoft channels while bypassing security filters.
Al Landes Avatar
Al Landes Avatar

By

Our editorial process is built on human expertise, ensuring that every article is reliable and trustworthy. AI helps us shape our content to be as accurate and engaging as possible.
Learn more about our commitment to integrity in our Code of Ethics.

Image credit: Wikimedia

Key Takeaways

  • Microsoft investigates critical 365 Admin Portal vulnerability, urging swift action to protect user security.
  • Scammers exploit legitimate Microsoft 365 features, bypassing security measures to target unsuspecting users.
  • Users warned to stay vigilant as sophisticated email threats bypass traditional security defenses effortlessly.

Why it matters: Bleepingcomputer reports that Cybercriminals have discovered a way to abuse Microsoft’s 365 Admin Portal to send sextortion emails that bypass spam filters, exploiting a legitimate Microsoft email address to reach victims’ inboxes directly.

The Exploit: The scammers leverage the Message Center’s “Share” feature, manipulating the “Personal Message” field to send extortion demands. According to Neowin, using browser developer tools, they bypass character limits to send lengthy threatening messages demanding Bitcoin payments.

  • Messages appear legitimate
  • Bypass standard security

Technical Vulnerability: The scam succeeds through a basic security oversight – Microsoft‘s failure to implement server-side checks on message length. By modifying HTML elements in their browser, scammers can exceed the intended 1,000-character limit, allowing full extortion messages to be sent through the system.

Microsoft’s Response: The company acknowledges the issue and says it is investigating, but has yet to implement server-side checks to prevent the abuse. “We take security and privacy very seriously,” Microsoft stated, promising action to protect customers.

Impact and History: Sextortion scams have proven highly profitable since their emergence in 2018 when they reportedly generated over $50,000 weekly. While many users now recognize these scams, the abuse of legitimate Microsoft channels makes these new variants particularly concerning for those unfamiliar with such threats. 

Share this

At Gadget Review, our guides, reviews, and news are driven by thorough human expertise and use our Trust Rating system and the True Score. AI assists in refining our editorial process, ensuring that every article is engaging, clear and succinct. See how we write our content here →