Criminals are exploiting Microsoft 365's Admin Portal to send sextortion emails that bypass spam filters, using legitimate addresses to deceive victims into paying large sums.
The method involves sharing Microsoft service messages via email, allowing criminals to insert their extortion messages in the personal notes section without triggering spam filters.
Although Microsoft limits shared messages to 1,000 characters, criminals use browser tools to bypass this restriction, sending longer messages that appear legitimate.
Microsoft is aware of this issue and is investigating, yet essential server-side checks to prevent this type of message exploitation have not yet been implemented.
Collection
[
|
...
]