How Microsoft 365's Direct Send Feature Is Being Exploited in Sophisticated Phishing Attacks

A new wave of phishing attacks has cast a harsh spotlight on the security assumptions underlying Microsoft 365, as cybercriminals adapt with alarming speed to exploit lesser-known features. Over the past two months, a sophisticated campaign has targeted more than 70 organizations across critical U.S. industries, leveraging what was presumed to be a safe internal mail channel: the Direct Send feature of Microsoft 365.

Understanding the Threat: Direct Send in Microsoft 365​

Direct Send is a function within Exchange Online created to streamline internal communications. Its principal use cases include enabling devices like printers, scanners, and line-of-business applications to send emails internally, rather than relying on fully authenticated mailboxes or third-party relays. Typically, Direct Send works over a smart host with a domain-specific address, following a predictable pattern such as tenantname.mail.protection.outlook.com.
Intended as a convenience, Direct Send was designed with minimal friction in mind; devices neither authenticate nor require complex configuration, which allows seamless email dispatch within an organization’s Microsoft 365 tenant. For years, this ease-of-use has benefited administrators and end-users in legitimate scenarios. However, this very convenience has now become a risk vector.

Anatomy of the Attack: Weak Authentication Meets Social Engineering​

The crux of the current campaign, as detailed by security researchers at Varonis, is the total lack of authentication requirements for messages sent via Direct Send. Threat actors, needing nothing more than an organization’s email domain and valid recipient addresses—information often readily available via corporate websites or public documents—are able to route emails through Exchange Online’s infrastructure. These messages appear to originate from trusted internal sources, bypassing traditional external/internal email security checks.
Phishing remains one of the most effective attack methods against enterprises, often circumventing layered defenses through clever social engineering and technical subterfuge. The new Direct Send abuse raises the stakes by removing the need for initial access—such as compromised credentials—altogether. Instead, adversaries simply exploit a design oversight.

Technical Breakdown​

• Reconnaissance: Attackers identify Microsoft 365 tenants and enumerate valid recipient addresses. This is possible through OSINT (Open Source Intelligence) techniques, using public websites, LinkedIn, or even email address guesswork tools.
• Spoofed Email Creation: Utilizing PowerShell commands, malicious actors craft emails that mimic internal business communications, orders, or requests.
• Abuse of Direct Send: By connecting directly to the organization’s Exchange Online smart host, attackers transmit these phishing messages, which enter the internal network cloaked as legitimate internal mail.
• Bypassing Security Controls: Because the email traffic doesn’t originate externally, the organization’s perimeter defenses—often set to scrutinize only inbound external email—apply lighter or no filtering, increasing the likelihood that phishing attempts reach inboxes unimpeded.

Varonis’s forensics indicate the attackers consistently evaded standard anti-phishing and anti-spam filters, capitalizing on Microsoft 365’s implicit trust in internal delivery. The campaign targeted a diversity of sectors, including healthcare, technology, finance, and government, underscoring its broad applicability and effectiveness.

Phishing Evolved: Why This Attack Works​

Organizations worldwide have invested heavily in email security, yet almost all such systems have fundamentally segmented internal from external traffic. The rationale: internal users, trusted devices, and in-house mail flows pose less risk than emails sourced from the wilds of the Internet.
Direct Send’s core flaw, highlighted by these attacks, is that it constitutes a bridge between the outside world and the organization's trusted circle, with no gatekeeper in sight. By sending through the tenant’s own smart host, the phishing emails avoid being tagged as suspicious due to their apparent internal origin.

Attack Vectors and Phishing Lures​

• Credential Harvesting: Emails direct users to fake login portals that mimic legitimate organizational services, tricking them into submitting passwords.
• Business Email Compromise (BEC): Spoofing executives or internal stakeholders, malicious messages request wire transfers, sensitive data, or urgent actions.
• Payload Delivery: Attachments or web links introduce malware or ransomware, disguised as routine operational content.

Industry Impact: Measurable Risks Across Sectors​

The campaign’s effectiveness is not hypothetical. At least 70 organizations—many with advanced security postures—were impacted during just the initial two months of activity. The cross-sector reach illustrates the versatility of the attack:

• Healthcare: Phishing exploits sensitive workflows, risking exposure of medical records, insurance data, or prescription information.
• Finance: Facilitation of fraud, theft of credentials for financial platforms, and unauthorized transactions.
• Government: Compromises may enable access to sensitive internal systems, potentially jeopardizing public sector operations.

Given Direct Send’s ease of abuse, any enterprise with a Microsoft 365 tenant and poorly configured email controls is at risk.

Defensive Postures: What Organizations Can Do​

Microsoft has neither publicly acknowledged nor patched the core flaw at the time of writing, but security experts argue that mitigation is both urgent and achievable. Several layers of defense are recommended:

1. Restrict Direct Send to Known Internal Hosts​

• Network Segmentation: Allow Direct Send traffic solely from whitelisted IP addresses corresponding to office equipment and trusted servers.
• SMTP Relay Policies: Implement stringent policies that block Direct Send connections from unknown or non-corporate device IPs.

2. Enhance Email Filtering and Monitoring​

• Anomaly Detection: Activate logging and alerts for unusual patterns of email activity, especially messages purportedly internal but originating from atypical sources.
• Internal Email Inspection: Adjust security tools to apply robust phishing and malware scanning even to mail traveling between internal addresses.

3. Harden Identity and Access Management​

• Recipient Validation: Block external connections attempting to masquerade as internal senders by enforcing sender validation checks.
• Disable or Restrict Direct Send: Where possible, replace Direct Send with safer alternatives, or disable it entirely if not business-critical.

4. User Awareness and Training​

• Education: Regularly train users to spot spoofed internal communications, empowering them to question unexpected requests—even from apparent colleagues.
• Phishing Simulations: Conduct simulated phishing exercises including those that mimic internal mail to gauge readiness and raise vigilance.

Microsoft’s Position and the Question of Vendor Response​

Microsoft has a track record of evolving its cloud security offerings, but the Direct Send issue reveals how default configurations or “legacy” features can introduce systemic vulnerabilities. Security researchers and IT administrators repeatedly warn that cloud convenience sometimes comes at the expense of robust safeguards.
In the official documentation, Microsoft touts Direct Send as a simple way for legacy devices to communicate without dedicated mailboxes. However, the documentation contains limited warnings regarding potential misuse or spoofing risks. As of now, there are no mainstream advisories about this type of exploit published on Microsoft’s own threat intelligence feeds. This lack of visibility could leave many organizations unaware and exposed.
Industry voices are pressuring the vendor for enhanced authentication mechanisms, IP restrictions by default, or at minimum, clearer guidance and immediate warning communications. Until vendor-side changes are implemented, responsibility falls to organizations to mitigate exposure through configuration, vigilance, and layered security controls.

A Broader Lesson: The Hidden Dangers of Convenience Features​

This episode is emblematic of a wider pattern seen across enterprise IT: benign features, added to speed up daily tasks or streamline operations, can become powerful tools in the hands of attackers. Features designed with usability in mind, especially in sprawling SaaS ecosystems like Microsoft 365, must be continuously reassessed through a security-first lens.

Key Takeaways for CISOs and Security Teams​

• Never Trust, Always Verify: Adopt zero-trust principles even for “internal” email channels, as traditional perimeter defenses are increasingly obsolete in cloud-first environments.
• Routine Audits: Regularly review all “anonymous” or “unauthenticated” features present in critical SaaS platforms and restrict their use wherever feasible.
• Collaborate with Vendors: Engage in active dialogue with software providers to report vulnerabilities and lobby for upstream mitigations.

The Road Ahead: Will Microsoft Close the Gap?​

While this campaign has raised the alarm, it is not an isolated event. As remote work and hybrid cloud architectures increase organizational complexity, attackers will undoubtedly continue to probe for such blind spots.
Pressure is building for Microsoft to deploy changes that obviate the main vector—such as mandatory sender authentication for all intra-tenant traffic or default network restrictions on smart host communications. In the interim, organizations must take ownership of their cloud risk, learning that even “internal” traffic cannot be blindly trusted.

Conclusion: Vigilance Is the New Normal​

The Microsoft 365 Direct Send exploit underscores the shifting paradigm of enterprise security—from perimeter-focused fortresses to a complex web of trust relationships and implicit permissions. As attackers grow nimbler and as feature creep introduces unexpected risk, security teams must develop a mindset of continuous evaluation.
Organizations are urged to assess their reliance on Direct Send and similar convenience features, and shore up configuration, monitoring, and user awareness. Only through a combination of technical controls, education, and ongoing vigilance can enterprises defend effectively against the next wave of cloud-borne threats.
The lesson is clear: convenience, too often equated with security through obscurity, can carry hidden costs. In the rapid evolution of business IT, every feature—however minor—demands scrutiny. Only by championing a culture of curiosity and proactivity can the modern enterprise hope to stay a step ahead of today’s ever-adaptive cyberthreats.

---

Source: Red Hot Cyber Microsoft 365 Under Attack: How Hackers Use Direct Send to Send Phishing Emails