Microsoft 365 Vulnerability: Sextortion Emails Bypass Scam Protections

In the ever-evolving landscape of cybersecurity, even the seemingly fortified walls of Microsoft 365 are showing vulnerabilities. Recent reports have revealed that scammers have found a way to bypass Microsoft 365's scam protections, leveraging the platform's own admin portal to infiltrate users' inboxes with menacing sextortion emails.

The Scheme Unveiled: How It Works​

Scammers are using a crafty tactic by taking advantage of the Microsoft 365 Message Center. This legitimate feature is intended for sharing advisory notices and updates from Microsoft. However, it has been co-opted by cybercriminals to deliver threatening emails directly to users, bypassing standard spam filters. The reports first surfaced on platforms such as LinkedIn and the Microsoft Answers forum, highlighting how the email addresses used—specifically from o365mc@microsoft.com—are genuine, making it challenging for recipients to recognize them as scams.

A Closer Look at the Malicious Emails​

These sextortion emails typically follow a distressing format: the scammer claims to have compromised the victim's computer and threatens to release sensitive content unless a monetary demand is met. Edwin Kwan, a cybersecurity executive, shared his experience on LinkedIn, expressing shock that such emails were bypassing filters typically designed to catch exactly this type of content.
The content often hints at personal invasions that include the claim of having caught the recipient in compromising situations. Some variations of these emails may even include additional scare tactics—like allegations about a spouse's fidelity—to up the ante on the psychological manipulation.

Technical Manipulation: Bypassing Microsoft’s Filters​

What sets this scam apart is not just its content but how the attackers have engineered their approach. Cybercriminals appear to be exploiting browser developer tools to manipulate the maximum character limit for outgoing messages, traditionally capped at 1,000 characters. This clever tactic allows them to send longer, more detailed emails that could contain unsettling threats without triggering typical automated filters that might flag such long messages.

The Response from Microsoft​

Microsoft has acknowledged this alarming trend. A representative mentioned to BleepingComputer that they are investigating the reports and are developing strategies to bolster their defenses against such scams. However, users should remain vigilant as the company has yet to implement server-side checks to reject these longer messages.

User Guidance and Best Practices​

For Microsoft 365 users, the immediate reaction to encountering such emails is to delete them instantly, regardless of the distress they may cause. It’s a sobering reminder that vigilance is crucial in the digital realm, no platform being entirely immune.
Tips to Stay Secure:

1. Be Skeptical of Unusual Emails: Always question unsolicited emails, especially those with threats or demands.
2. Use Multi-Factor Authentication (MFA): This adds an extra layer of security, making unauthorized access more difficult.
3. Educate Yourself about Phishing Scams: The more you know, the better equipped you will be to recognize potential threats.
4. Report Suspicious Emails: Use the built-in reporting tools in Microsoft 365 to flag suspicious activity.

Conclusion: A Call for Increased Vigilance​

As Microsoft 365 users, understanding that vulnerabilities exist—even in reputable systems—is essential for maintaining security. This recent sextortion scheme is a stark reminder of the need for continuous education on cyber threats and effective personal security measures. With cybercriminals constantly refining their tactics, users must stay informed, protective, and adaptive to safeguard against these pervasive threats.
Stay smart, stay safe, and remember—when in doubt, it’s always best to err on the side of caution.

---

Source: Tech.co Microsoft 365 Users Warned About Sextortion Email Scam