November 18, 2024 at 08:14AM
Scammers are exploiting the Microsoft 365 Admin Portal to send sextortion emails that bypass spam filters by using the legitimate “[email protected]” address. These emails claim to have compromising content and demand payment. Microsoft is investigating this abuse, but users should remain vigilant and not respond to these scams.
### Meeting Takeaways
1. **Sextortion Emails Misuse Microsoft 365 Admin Portal**:
– Scammers are using the Microsoft 365 Admin Portal to send sextortion emails, making them appear credible and bypassing regular email security measures.
2. **Nature of Sextortion Emails**:
– These scams claim that personal devices were hacked, threatening to share compromising images unless a ransom of $500 to $5,000 is paid, often in Bitcoin.
3. **Historical Context**:
– Since their emergence in 2018, these scams have proven lucrative, generating upwards of $50,000 weekly initially. Reports of such scams are still being received by platforms like BleepingComputer.
4. **Evolution of Scams**:
– Numerous variations of these scams exist, including those that manipulate personal situations (like infidelity) to increase urgency and fear, often including purported images of victims’ homes.
5. **Bypassing Spam Filters**:
– Recent reports indicate sextortion emails were received directly via the Microsoft Message Center, enabling them to bypass traditional spam filters.
6. **Technical Exploitation**:
– Scammers exploit the “Share” feature in the Microsoft 365 Message Center to send their messages. By altering the maximum length in the browser’s developer tools, they can input messages longer than the prescribed limit (1,000 characters), thus sending the entire sextortion message.
7. **Lack of Server-Side Verification**:
– Microsoft’s current system lacks server-side checks to enforce the character limit, allowing these scam messages to be sent through the Share feature.
8. **Ongoing Investigation by Microsoft**:
– Microsoft has acknowledged the issue and is investigating reports of this malicious activity, emphasizing their commitment to security and user protection.
9. **User Awareness and Safety**:
– It is crucial for users to recognize these emails as scams and not engage with them. Users are advised to delete such emails and not click on any links or send money.
10. **Public Sentiment**:
– The influx of sextortion scam attempts has led many individuals to become more aware and skeptical, enabling them to recognize these threats more easily. However, education is still necessary for those unfamiliar with such tactics.
These takeaways highlight the ongoing threat of sextortion scams and the need for vigilance and awareness in cybersecurity practices.