A worrying new cybercrime trend has emerged, with hackers exploiting Microsoft’s own email systems to conduct sextortion scams. Reports reveal that cybercriminals are using the Microsoft 365 Admin Portal to send emails from legitimate Microsoft addresses, making the scam appear credible and bypassing spam filters and other security measures.
The sextortion emails claim the recipient’s smartphone, tablet, or computer has been hacked to capture compromising images or videos. Victims are then coerced into paying up to $2,000 in Bitcoin to prevent the alleged material from being released. This alarming tactic has reignited concerns over sextortion scams, which have evolved significantly since their emergence in 2018.
Legitimate Microsoft email used for fraud
The hackers are reportedly exploiting a feature in the Microsoft 365 Admin Portal’s Message Center. Designed to send service updates and advisories, this feature allows users to share notifications with others, adding a personalised message of up to 1,000 characters. Scammers have managed to bypass this character limit, using the legitimate email addresses to send fraudulent messages.
The emails often start with an authentic Microsoft notification before inserting the scammer’s threatening message. Recipients are falsely informed that their activities have been recorded and are asked to pay a Bitcoin ransom to prevent exposure. The use of a legitimate Microsoft email makes the scam harder to detect and more likely to evade security filters, increasing its potential reach.
Automation increasing threat
To maximise their impact, scammers have automated the process of sharing advisories via the Admin Portal. This automation allows them to send these threatening messages on a large scale without restrictions. The combination of automation, legitimate email addresses, and official-looking notifications has created a perfect storm for cybercriminals to exploit unsuspecting users.
Victims are urged to be cautious if they receive emails from Microsoft that mention sextortion threats. Experts recommend avoiding clicking on links, opening attachments, or transferring money to unknown cryptocurrency wallets or bank accounts. Even if the email appears to come from a legitimate source, users should verify the message through official channels.
Microsoft investigates as threat persist
Microsoft has acknowledged the issue and is currently investigating the scam, according to a statement made to Bleeping Computer. However, the tech giant has not yet addressed the loophole that allows scammers to send these messages. The lack of immediate action has raised concerns, with cybersecurity experts calling for urgent measures to close the exploit.
While Microsoft works on a resolution, users are advised to remain vigilant and report suspicious emails to their IT departments or Microsoft’s support team. The ongoing scam serves as a stark reminder of how cybercriminals continually adapt their tactics, even exploiting trusted platforms to achieve their aims.