Hackers are pulling a clever trick with the Microsoft 365 Admin Portal to send sextortion emails that sneak past spam filters and land directly in your inbox. These scams use the Microsoft 365 Message Center—a tool designed for legitimate updates about services and features. Instead of sending real updates, cybercriminals are abusing its "Share" feature to push their scam messages, making them look like they came straight from Microsoft.
Here’s the deal: these emails claim your device was hacked and that they’ve got dirt on you—like videos or images of you in compromising situations. The scammers then demand payment in Bitcoin, threatening to share the supposed material if you don’t pay up. It’s a bold move, and the use of a legitimate Microsoft email address makes it seem even more real.
What makes these emails especially dangerous is how they manage to bypass email security systems. Normally, these scams would be flagged by filters, but because they are sent from a trusted Microsoft address, "o365mc@microsoft.com," they get through unnoticed.
Apparently, these scammers are abusing the "Personal Message" field in the Microsoft 365 Message Center’s "Share" option, which is designed to add a short note when sharing an advisory. Normally, this field is capped at 1,000 characters, but attackers have figured out a way around it. By using browser developer tools, they tweak the maxlength attribute in the HTML textarea element to allow longer messages. This lets them include their full sextortion text in the email without truncation.
It’s downright embarrassing for Microsoft that this works because the first rule in cybersecurity is "Never trust user input." This principle, often phrased as "Never trust what comes from the browser," emphasizes that client-side validations (like the character limit) are unreliable. Without server-side checks to enforce these restrictions, the email system blindly processes and sends the altered message.
Although this technique has allowed scammers to bypass filters, it is important for users to recognize these emails for what they are: scams. Bleeping Computer says that Microsoft has acknowledged the issue and is investigating the abuse, but as of now, the server-side checks to prevent such messages haven"t been added.
A copy of one such scam email was posted on the Microsoft Answers forum, where a user shared the disturbing content. The email included bizarre arrow symbols and detailed information about the recipient, including their birthdate, to make it seem more authentic. It threatened to share compromising footage unless a Bitcoin payment was made within 48 hours.
Sextortion emails are nothing new, but they"re getting way nastier and more advanced. A big chunk of these scams is driven by groups like the infamous "Yahoo Boys" from West Africa, who’ve turned this into a full-blown operation. They’ve been sharing how-to guides on platforms like TikTok and YouTube, targeting teens and young adults on apps like Instagram and Snapchat.