Microsoft Hacked Again: Scammers Use Official Email Address To Run Sextortion Scam

The episodes of cybersecurity and cyberattacks seem to be a regular thing for Microsoft now. Scammers are reportedly exploiting the Microsoft 365 Admin Portal to send sextortion emails to users, falsely claiming that their devices—whether smartphones, tablets, or PCs—have been hacked to record compromising images or videos. These fraudulent emails may allege that they have footage of the recipient engaging in private acts or even claim to possess evidence of a cheating spouse.

Sextortion scams of this nature first emerged in 2018 and managed to extract anywhere from $500 to $5,000 from unsuspecting victims.

ALSO READ | Elon Musk Says Sexual Misconduct Allegations Against US Attorney General Nominee Matt Gaetz Are 'Less Than Nothing': Here's Why

A recent analysis by Bleeping Computer highlights that scammers are now leveraging the Microsoft 365 Admin Portal to bypass spam filters and other security barriers. The report notes that these emails are sent from the address "0365mc@microsoft.com," which, despite appearing suspicious, is actually a legitimate address Microsoft uses for notifications and communications.

For those unfamiliar, the Microsoft 365 Admin Portal includes a feature called the Message Center, designed to notify users about updates, features, and service advisories. This feature also allows users to share these advisories with others, accompanied by a personal message of up to 1,000 characters. However, cybercriminals have reportedly found a way to bypass this character limit and are exploiting the feature to send sextortion messages.

Scam Unfolds

It appears the scammers have automated the process, enabling them to distribute these fraudulent messages at scale without restrictions. In one example, a recipient received an email from Microsoft’s legitimate address, notifying them of changes to email service notifications.

Below this legitimate notice, the scammers inserted a personal message claiming to possess compromising images or videos of the recipient. The email demanded $2,000 in Bitcoin, providing a wallet address for the payment.

If you encounter a similar email claiming to be from Microsoft, it is almost certainly a scam. Avoid clicking on any links or sending money to unknown cryptocurrency wallets or bank accounts.

In response to inquiries from Bleeping Computer, Microsoft confirmed that it is actively investigating the issue. However, the report notes that the company has yet to close the loophole being exploited by these scammers.