If you get a sextorsion email from Microsoft, don't act on it

The Microsoft 365 Message Center is being used to send threats

Reading time icon 2 min. read


Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more

Microsoft 365 Message Center is used for sextorsion scams

Many Microsoft 365 users have received threatening emails coming through the Message Center from the Microsoft 365 Admin Portal. The scammer pretends that it has hacked your PC and got access to compromising content on your machine and/or your browser. Of course, the scammer is demanding a hefty sum not to disclose the content to friends, colleagues and relatives.

If you’re in this situation, you shouldn’t cave in because the wrongdoer doesn’t actually have anything on you, although you should report the incident to Microsoft.

A user offered a glimpse of the sextorsion email on the Microsoft Answers forum.

According to Bleeping Computer, this is a lot more worrying than a simple phishing email because it comes straight from the [email protected] email. This is actually a legitimate address that goes through the Microsoft 365 Message Center.

How does the sextorsion scam works?

Apparently, the scammers are using a very simple loophole. They access the Message Center from the Microsoft 365 Admin Portal and click the Share button on one of the messages.

Then, they change the content and bypass the 1000 character limitation of the interface using the browser’s dev tools.

That’s how the scammer can get both their scary message along with Microsoft’s advisory, appearing that the email is legitimate.

Now, it seems that Microsoft doesn’t make any character length checks for any personal messages using the Share button, making this possible.

The bottom line is that if you’ve received such an email, you can rest assured that the scammer doesn’t actually have anything on you and you should definitely not act on it.

Microsoft is working on a solution to fix this problem, but until then, the only temporary solution would be to temporarily block the email on your client.

Have you been the victim of such a sextorsion email from Microsoft? Let us know in the comments below.

More about the topics: Microsoft 365, Phishing, scams

User forum

0 messages