A worrying new cybercrime trend has emerged, with hackers exploiting Microsoft’s own email systems to run sextortion scams. Reports reveal that cybercriminals are using the Microsoft 365 admin portal to send emails from legitimate Microsoft addresses, making the scam credible and bypassing spam filters and other security measures.

Sextortion emails claim that the recipient’s smartphone, tablet, or computer has been hacked to capture compromising images or videos. Victims are then forced to pay up to $2,000 in Bitcoin to prevent the alleged material from being published. This alarming tactic has reignited concerns about sextortion scams, which have evolved significantly since they first emerged in 2018.

Legitimate Microsoft email used for fraudulent purposes

Hackers are reportedly exploiting a feature in the Microsoft 365 admin portal’s message center. Designed to send service updates and notices, this feature allows users to share notifications with others, adding a personalized message that can go up to 1,000 characters. Fraudsters have managed to circumvent this character limit, using legitimate email addresses to send fraudulent messages.

The emails often start with a genuine Microsoft notification before inserting the scammer’s threatening message. Recipients are falsely informed that their activities have been recorded and asked to pay a Bitcoin ransom to avoid exposure. Using a legitimate Microsoft email address makes the scam harder to detect and more likely to escape security filters, increasing its potential reach.

Automation increasingly threatens

To maximize their impact, fraudsters automated the process of sharing reviews through the admin portal. This automation allows them to send these threatening messages on a large scale without restrictions. The combination of automation, legitimate email addresses, and official-looking notifications has created a perfect storm for cybercriminals to exploit unsuspecting users.

Victims are advised to be careful if they receive emails from Microsoft mentioning sextortion threats. Experts recommend avoiding clicking on links, opening attachments, or transferring money to unfamiliar cryptocurrency wallets or bank accounts. Even if the email appears to come from a legitimate source, users should verify the message through official channels.

Microsoft investigates as threat persists

Microsoft has acknowledged the problem and is currently investigating the scam, according to a statement made to Computer beeping. However, the tech giant has yet to close the loophole that allows scammers to send these messages. The lack of immediate action has sparked concerns, with cybersecurity experts calling for urgent measures to stop the exploit.

While Microsoft is working on a resolution, users are advised to remain vigilant and report suspicious emails to their IT department or Microsoft Support team. This ongoing scam is a stark reminder of how cybercriminals continually adapt their tactics, even exploiting trusted platforms to achieve their goals.