Microsoft 365 users are being warned about a new scamming scheme using the platform’s admin portal.
Users are reporting that emails that would usually be filtered out are getting through as the scammers are using the Microsoft 365 Message Center.
This latest spate of attacks is another wake-up to Microsoft 365 users that the platform is not immune to attacks and they need to be vigilant.
Microsoft 365 Admin Portal Abused
Users have shared that they have received sextortion emails through the Microsoft 365 Message Center. Posts on LinkedIn, X, and the Microsoft Answers forum have revealed the extent of the problem.
Cyber Security Executive, Edwin Kwan, wrote on LinkedIn: “I received an extortion scam email yesterday. These things usually end up in junk/spam, however this one made it past the filters as it was sent by Microsoft 365 Message Center.” He asked: “Any ideas on how they would have managed to do this?”
The emails coming through follow a set pattern. The cybercriminals make a demand for money by threatening to expose compromising photos of the victim, which the hackers claim to have got access to by hacking their computer.
This just in! View
the top business tech deals for 2024 👨💻
BleepingComputer says it is receiving emails from concerned parties. It adds that these kinds of extortion emails are effective but there are variations of the sextortion theme, including an extortion scam based around the claim that hackers have caught your spouse cheating or emails that include pictures of your home as a scare tactic.
What do the Malicious Microsoft 365 Emails Look Like?
The emails come from o365mc@microsoft.com, which is actually a genuine Microsoft email address. These kinds of emails come from the Message Center in the Microsoft 365 Admin Portal, which is from where users can share advisory notices from Microsoft. Users can send up to two emails in this way; and these can be email addresses for both internal and external comms.
It appears that scammers are getting past the 1,000 character limit for emails usually sent from the center by opening up the browser’s dev tools and changing the maximum length field. This means that they can get their whole message out to victims but have also bypassed any of Microsoft’s filters.
What is Microsoft’s Advice on Scam Emails?
Microsoft is aware of the problem and told BleepingComputer: “We are investigating these reports and will take action to help keep our customers protected.”
However, the news website added that the computing giant has yet to “add server-side checks to prevent messages over 1,000 characters”.
Advice to users who receive one of this emails is to delete them immediately, however distressing they find the content.
