Microsoft 365 Admin portal abused to send sextortion emails
4 mins read

Microsoft 365 Admin portal abused to send sextortion emails

The Microsoft 365 Admin Portal is being abused to send sextortion emails, making the messages appear trustworthy and bypassing email security platforms.

Sextortion emails are scams claiming that your computer or mobile device was hacked to steal images or videos of you performing sexual acts. The scammers then demand from you a payment of $500 to $5,000 to prevent them from sharing the compromising photos with your family and friends.

While you would think no one could fall for these scams, they were very profitable when they first appeared in 2018, generating over $50,000 a week. To this day, GeekFeed continues to receive messages from people concerned after receiving them.

Since then, scammers have created numerous variants of extortion email scams, including ones that pretend to have caught your spouse cheating or include pictures of your home to scare you into paying the extortionist in Bitcoin.

However, email security platforms have become good at detecting these scam emails and typically quarantine them in the spam folder.

Abusing the Microsoft 365 Admin Portal for scams

Over the past week, people on LinkedInX, and the Microsoft Answers forum reported receiving sextortion emails through the Microsoft 365 Message Center, allowing the scams to bypass spam filters and land in the inbox.

“I received an extortion scam email yesterday. These things usually end up in junk/spam, however this one made it past the filters as it was sent by Microsoft 365 Message Center.

“Any ideas on how they would have managed to do this?”asked cybersecurity professional Edwin Kwan.

Sextortion scam sent from Microsoft 365 Admin Portal
Sextortion scam sent from Microsoft 365 Admin Portal

The sextortion emails came from “o365mc@microsoft.com,” which may feel like a phishing address but is actually Microsoft’s legitimate email address used to send messages and notifications from the Microsoft 365 Message Center.

For those not familiar with the Microsoft 365 Admin Portal, it includes a section called the “Message Center,” which contains communication from Microsoft about service advisories, new features, and upcoming changes.

When viewing an advisory, a “Share” link allows you to share the advisory with other people, as shown below.

Share link in a Microsoft 365 Message Center message
Share link in a Microsoft 365 Message Center message

Clicking on the Share button opens a dialog asking you to input up to two email addresses to which the advisory should be sent, regardless of whether they are external or internal to your organization.

This screen also includes an optional “Personal Message,” which will be added to the emailed advisory.

Share message dialog
Share message dialog

The threat actors are abusing the Personal Message feature by using it to send the sextortion message. However, this personal message field is limited to only 1,000 characters, with anything additional being truncated by the user interface.

As the extortion message sent by the scammers is far more than 1,000 characters, it made me wonder how they were bypassing this restriction.

The answer is simple. They just open up the browser’s dev tools and change the maximum length field of the <textarea> tag to an arbitrary number of their choice. 

This change now allows them to enter the entire sextortion message into the “Personal Message” field without it being truncated.

Changing the maximum character length of Personal Message field
Changing the maximum character length of Personal Message field

As Microsoft does not perform server-side checks for the character length, the entire extortion message is now sent along with the advisory.

The scammers are likely using an automated process to submit these “Share” requests, making it even easier to send without a server-side check for the length of the personal message.

GeekFeed contacted Microsoft about these scams and was told they are investigating the malicious activity.

“Thank you for bringing this to our attention. We take security and privacy very seriously,” Microsoft told GeekFeed.

“We are investigating these reports and will take action to help keep our customers protected.”

At this time, Microsoft has not added server-side checks to prevent messages over 1,000 characters, GeekFeed’s tests showed.

While this technique has allowed the sextortion emails to bypass mail filters, anyone who receives them must understand that they are just scams and delete them.

Thankfully, sextortion scams have become so abundant over the past six years that most people realize that they are scams and delete these types of emails.

However, for those not familiar, these emails can be distressing and scary.

Therefore, it is important to stress that these emails are scams, they are not telling the truth, and you should not visit any links in these emails or send any money to the listed cryptocurrency addresses.

Leave a Reply

Your email address will not be published. Required fields are marked *