Cybercriminals are exploiting a weakness in the Microsoft 365 Admin Portal to bypass email security and deliver sextortion scams directly to inboxes.
The Scam:
Sextortion emails claim to have compromising videos or photos of the recipient and demand a ransom in Bitcoin to prevent them from being shared. These scams are prevalent but are usually caught by spam filters.
The Abuse:
Attackers are abusing the “Share” feature within the Microsoft 365 Message Center, which allows authorized users to share service advisories with others.
- Exploiting Character Limit: The “Personal Message” field for sharing advisories has a 1,000 character limit. Attackers use browser developer tools to bypass this limit and enter their entire sextortion message.
- Automated Attacks: The attackers likely use an automated script to exploit this vulnerability and send these malicious messages at scale.
Microsoft has been notified of this vulnerability and is investigating the issue. However, as of now, a server-side check to prevent messages exceeding the character limit hasn’t been implemented.
Staying Safe:
- Be Wary of Unexpected Emails: Even emails seemingly from legitimate sources like Microsoft 365 can be scams.
- Do Not Engage: Never respond to sextortion emails, click on any links, or send money.
- Report Phishing Attempts: Report suspicious emails to Microsoft or the relevant security platform.