The phrase, “when someone tells you who they are, believe them” does not exist in cyberspace, where hackers run amok. Unfortunately, it’s all too easy for criminals to pretend to be someone they’re not, and this is what’s happening with a new fake Microsoft email going around. If you’ve received a notification from Microsoft that threatens to expose your private data, it’s probably a scam—even if it’s coming from a Microsoft account.
Why You Shouldn’t Immediately Trust a Threatening Email from Microsoft
In the case of the latest Microsoft scam, hackers have taken advantage of a loophole in the Microsoft 365 Admin Portal code to send emails from a Microsoft.com account. Hence, the notifications don’t get tossed away into the recipient’s spam folder.
While they might appear like legitimate emails, these messages claim to have sensitive images or video of you in compromising situations. In order to prevent this media being shared, you have to pay up. In other words, these emails are meant to extort you.
When extortion scams are paired with media that is sensitive or sexual in nature, this is commonly referred to as “sextortion.”
Red Flags to Look For
Sadly, sextortion scams are becoming more and more prevalent, prompting companies to put protections in place, such asInstagram’s restrictions on its disappearing image feature. But for every protective measure, criminals will figure out technical vulnerabilities. So, we need to be able to look at things critically, in cases when tech companies fall short.
Of course, the first thing to check is the username or email address. In this example, hackers abused a flaw in the Microsoft 365 Message Center’s “share” option, which is typically used for legitimate service advisories. This makes it look like the message is coming from Microsoft.com. Therefore, by itself, the sender’s address is not a proper litmus test.
Major red flags come in the content of the message. What is the sender asking of you? In the case of a legitimate data breach, would a company like Microsoft request payment in Bitcoin? The answer is no.
Don’t Play a Scammer’s Game
Even if you realize the message is coming from a hacker, you might still feel obligated to make a payment out of desperation to protect your supposedly stolen media. The risk could feel more real if the sender includes personal information in the message that backs up their claims.
For example, someone posted an example of one of these Microsoft emails on theMicrosoft Answers forum, which contained the recipient’s birthday. A birthday is one thing—a backlog of “internet history” and secretly recorded “webcam footage” is another. Claims like these are far-fetched, and it’s best to report the email to Microsoft, or whatever platform from which you are receiving such a message.
Microsoft is currently investigating this criminial activity.
If it looks like a duck, quacks like a duck, but asks for Bitcoin—it’s probably a scam. Even if hackers have figured out how to bypass spam filters, they can’t hide their motives when it comes to the actual request. If your data has truly been compromised in a breach, a reputable company like Microsoft or Google will have steps for you to take that don’t involve cryptocurrency.
