What is sextortion?

Sextortion poses a serious threat to personal security, where scammers claim to have hacked into your device and obtained explicit images or videos. They typically demand a ransom between $500 to $5,000, threatening to share the so-called explicit material with your friends and family if you refuse to pay.

Though one would assume that savvy internet users would steer clear from falling for such schemes, these scams have proven unexpectedly lucrative. Since their emergence in 2018, sextortion emails raked in a staggering $50,000 weekly. Even today, many individuals continue to reach out for help after receiving these unsettling messages.

Scammers have progressively refined their tactics, crafting various extortion email templates. Some falsely claim to have caught a spouse cheating, while others include alarming details such as images of the victim’s home to induce fear, compelling the target to comply and pay in untraceable Bitcoin.

A New Twist: Using Microsoft 365 for Deceit

In the last week, numerous reports have emerged across platforms like LinkedIn, X, and Microsoft Answers, where recipients noted receiving sextortion emails through the legitimate Microsoft 365 Message Center— a notable flouting of conventional spam filters. Edwin Kwan, a cybersecurity expert, remarked on the unusual transmission of these emails, which typically end up in the junk folder.

The emails appeared to originate from the legitimate Microsoft address “[email protected].” While this may seem suspicious, it is indeed a verified address designated for messages from the Microsoft 365 Message Center, which is intended for important communications such as service updates and new features.

Within the Microsoft 365 Admin Portal, the "Message Center" provides users with important advisories. A "Share" feature allows users to disseminate information through email, but unfortunately, this intrinsic functionality has been exploited by cybercriminals.

How the Scam Works: A Flaw in the Code

The threat actors manipulate the email-sharing feature by utilizing the optional “Personal Message” field that accompanies the advisories. Despite being restricted to 1,000 characters, scammers have ingeniously bypassed this limit using browser developer tools. By tampering with the character length parameters, they successfully input the entire sextortion message without truncation.

Due to the absence of server-side validation on Microsoft's part, the extensive extortion messages are seamlessly integrated into the emails sent through the Message Center. This automated process not only facilitates rapid dissemination of these fraudulent messages but also evades restrictions that would normally deter such abuse.

In light of these revelations, BleepingComputer reached out to Microsoft for comment. The tech giant acknowledged the situation and is currently investigating these malicious activities, stating, "We take security and privacy very seriously. We are investigating these reports and will take action to help keep our customers protected."

Awareness is Key: Stay Informed and Vigilant

While sextortion emails continue to infiltrate inboxes, it is crucial for recipients to remain skeptical and informed. These malicious emails are merely scams—a fact that should not be overlooked. Victims are advised to delete such correspondence without engaging or responding to requests or hyperlinks contained within.

Fortunately, the sheer prevalence of sextortion schemes over the past several years has raised public awareness, leading many individuals to recognize and discard suspicious communications. For those still unsure or frightened by these scams, clarity and caution are vital. Remember, these emails are fabricated threats designed to incite panic and extract money.

In a world increasingly dominated by digital communication, awareness of cyber threats and vigilance about the authenticity of emails can go a long way in safeguarding both personal privacy and finances.