2 min Security

Admin Portal Microsoft 365 abused for sending sextortion messages

Admin Portal Microsoft 365 abused for sending sextortion messages

Criminals are sending sextortion emails by abusing Microsoft 365’s Admin Portal. Because such messages use a legitimate Microsoft account, they bypass filters that usually give such junk a one-way ticket to the spam folder.

In the messages, cybercriminals claim to have captured compromising sexual content from the victim or the victim’s partner. To prevent distribution, the latter must pay up. The amounts demanded range from 500 to 5,000 dollars.

More important is how the criminals manage to bypass the usual spam filters. The answer to that question lies in the Microsoft 365 Message Center, BleepingComputer reports. There, Microsoft puts up messages about new features, upcoming changes, or advisories.

Users can share those service messages via email with up to two addresses. In that case, the sender is o365mc@microsoft.com. That address looks a bit fake, but it is a legitimate Microsoft address. For that reason, spam filters don’t usually stop messages coming from this address.

Getting around the 1,000-character limit

When sharing messages, it is possible to add a personal note. And that is exactly where the criminals put their extortion message. Although this message can actually be only 1,000 characters long (and gets truncated after that), this is easily circumvented by using browser dev tools like ‘inspect element’. It is possible to use this to change the maximum number of characters before it is truncated.

Since Microsoft does not use server-side checks for message length, the full message is sent without truncation. Thanks to this clever ploy, the fraudulent emails appear legitimate. Microsoft says it is investigating the problem, but the vulnerability has not been fixed –no server-side checks yet to prevent messages with more than 1,000 characters from slipping through.

Also read: Hackers use Visio files to spread phishing links