Sextortion Emails: A Growing Threat

In a shocking revelation, the Microsoft 365 Admin Portal is being exploited by cybercriminals to send out sextortion emails, skillfully designed to appear legitimate and evade spam filters. This alarming trend poses a substantial risk to users who may unknowingly fall victim to these manipulative scams.

Understanding the Scam

Sextortion emails typically assert that a hacker has compromised your device, allegedly securing explicit images or videos of you. The extortionists then demand payment ranging from $500 to $5,000, threatening to share these incriminating materials with your family and friends if you refuse.

The Financial Upsurge of Sextortion

You might think that these claims sound too outrageous to be true, but since their emergence in 2018, these scams have proven highly lucrative, raking in over $50,000 weekly at their peak. BleepingComputer continues to receive multiple reports from concerned individuals who have received such disturbing messages.

Variants of the Scam

Scammers have proliferated various extortion email variants, some claiming to have caught your spouse cheating, while others might include personal images or address details to enhance their credibility and coerce payment in Bitcoin.

The Challenges of Spam Filters

Although many email security systems have become adept at trapping these fraud messages in junk folders, a recent uptick in reports from LinkedIn, X, and Microsoft’s own Answers forum indicates that scammers have found a way around these defenses. Users reported receiving sextortion emails directly through the Microsoft 365 Message Center, successfully bypassing established spam filters.

A Cybersecurity Professional's Alarm

A cybersecurity professional, Edwin Kwan, expressed concern, stating, "I received an extortion scam email yesterday. Usually, these things end up in junk/spam, but this one made it past the filters since it was sent by the Microsoft 365 Message Center."

Legitimacy of the Sender

The emails originated from the address "[email protected]," which might seem suspicious but is actually a legitimate Microsoft email used for notifications and updates related to Microsoft 365 services.

Exploiting System Features

For context, the Microsoft 365 Admin Portal includes a "Message Center" designed to communicate service advisories, feature updates, and changes. One feature allows users to share advisories via email, but here's where the scammers have found a loophole. They utilize the "Personal Message" field, which should be limited to 1,000 characters. However, the fraudsters conveniently bypass this limit by tweaking the browser's developer tools, allowing them to input a full length sextortion message without truncation. Microsoft currently lacks server-side checks for character limits, which means the extensive extortion messages can be sent seamlessly.

Automation of the Scam

Sources indicate that scammers are likely automating this process for efficiency, submitting these requests rapidly to maximize their reach. Upon contacting Microsoft, BleepingComputer was informed that the tech giant is investigating these malicious activities. “Thank you for bringing this to our attention. We take security and privacy very seriously,” a Microsoft representative stated.

What Users Should Do

Until Microsoft reinforces security checks, users must be vigilant. If you receive any sextortion emails, do NOT engage with the content or send any payments. Understand that these are scams. Moreover, remember that while such scams have become commonplace and often disregarded, they remain distressing, especially for those unfamiliar with their tactics.

Conclusion

In conclusion, as the world becomes increasingly digital, cybersecurity awareness is paramount. Always verify the legitimacy of any startling claims, and do not hesitate to report suspicious activities to your email service provider. Stay safe out there!