In recent months, cybersecurity researchers have uncovered a sophisticated phishing campaign that exploits Microsoft 365's "Direct Send" feature to impersonate internal users and bypass traditional email security measures. This technique has targeted over 70 organizations, primarily in the United States, without requiring attackers to compromise any accounts.
Microsoft 365's Direct Send is designed to allow internal devices, such as printers and scanners, to send emails without authentication. This feature uses a smart host with a predictable format:
Source: Cyber Press https://cyberpress.org/abuse-of-microsoft-365-direct-send-to-send-phishing-emails/?amp=1
Understanding Microsoft 365's Direct Send Feature
Microsoft 365's Direct Send is designed to allow internal devices, such as printers and scanners, to send emails without authentication. This feature uses a smart host with a predictable format: tenantname.mail.protection.outlook.com. While intended for internal communications, the lack of authentication requirements makes it susceptible to abuse. Attackers can exploit this by identifying a target organization's domain and valid email addresses, enabling them to send spoofed emails that appear to originate from within the organization. (csoonline.com)The Mechanics of the Phishing Attack
The attack process is alarmingly straightforward:- Domain Identification: Attackers determine the target organization's domain and gather valid internal email addresses, often through public sources or social media.
- Email Spoofing: Using PowerShell scripts, attackers send emails through the organization's smart host, crafting messages that appear to come from legitimate internal addresses.
- Payload Delivery: The phishing emails often mimic voicemail notifications and include PDF attachments with QR codes. When scanned, these codes redirect users to malicious sites designed to harvest Microsoft 365 credentials—a tactic known as "quishing." (securityonline.info)
Challenges in Detection
Detecting these phishing attempts is challenging due to several factors:- Legitimate Infrastructure: The emails originate from Microsoft's trusted domains, making them less likely to be flagged by security systems.
- Valid Authentication Markers: The spoofed emails often pass SPF, DKIM, and DMARC checks, further enhancing their legitimacy.
- Social Engineering: The use of familiar internal addresses and urgent messaging increases the likelihood of user interaction. (cyberpress.org)
Mitigation Strategies
To defend against this type of attack, organizations should consider the following measures:- Disable Direct Send: If not actively used, disable the Direct Send feature via the Exchange Admin Center.
- Implement Strict DMARC Policies: Enforce a reject policy to prevent spoofing of internal domains.
- Configure SPF and Anti-Spoofing Policies: Set SPF to hardfail and use anti-spoofing policies to flag unauthenticated internal emails.
- User Education: Train employees to recognize phishing attempts, especially those involving QR codes and voicemail-themed lures.
- Monitor for Anomalous Activity: Keep an eye on email logs for unusual patterns, such as emails appearing to be sent from internal users to themselves. (enterprisesecuritytech.com)
Conclusion
The abuse of Microsoft 365's Direct Send feature underscores the evolving tactics of cybercriminals who exploit trusted infrastructures to conduct phishing attacks. Organizations must adopt a proactive security stance, combining technical controls with user awareness, to effectively defend against these sophisticated threats.Source: Cyber Press https://cyberpress.org/abuse-of-microsoft-365-direct-send-to-send-phishing-emails/?amp=1
