A new wave of targeted phishing attacks is sweeping through organizations, exploiting a legitimate Microsoft 365 feature to wreak havoc from inside the trusted walls of enterprise email. Security researchers have recently uncovered threat actors using the Microsoft 365 “Direct Send” capability to convincingly impersonate internal users, outmaneuvering many standard defenses and raising urgent questions about the security of cloud email systems. The assault, documented by multiple cybersecurity vendors and confirmed by Microsoft, is not just a cautionary tale—it’s an escalating trend that exposes serious weaknesses in how internal communications are authenticated and protected.
The evolution of phishing attacks has steadily rendered traditional security controls less and less effective. Gone are the days when suspicious links or obvious grammar errors provided conspicuous red flags. Today’s threat actors employ carefully engineered social engineering techniques, sophisticated payload obfuscation, and subtler forms of deception. Now, with the exploitation of Microsoft 365’s Direct Send feature, attackers have found a way to impersonate internal users, sidestepping the protocols designed to catch fake senders before harm is done.
But this same simplicity is precisely what cybercriminals have turned to their advantage. By identifying the predictable format of a target organization’s Direct Send endpoint, attackers can send emails that Microsoft 365 mistakenly treats as internal—even if they originate from external, sometimes foreign, IP addresses. This critical flaw essentially grants outsiders a pathway to pose as colleagues from human resources, finance, the executive suite, or other trusted roles, dramatically increasing the chance that recipients will fall for the ruse.
However, Direct Send can bypass these safeguards because it labels messages as internal—even when they are not. Since policy-based checks often focus on external sources, spoofed “internal” emails slip through nearly all defenses. Researchers at StrongestLayer observed that these emails evade not just Microsoft Defender but also third-party secure email gateways, as they appear to originate from trusted, inside-the-network sources.
The exploitation did not require internal compromise or access to privileged credentials within victim organizations. Attackers simply needed the correct smart host address, a puzzle quickly solved with public information and basic reconnaissance. In some documented cases, malicious emails came from IP addresses in Ukraine and France, yet were accepted as trusted internal traffic in U.S. businesses. The consequences were significant: credential harvesting, malware distribution, and new forms of social engineering achieved unprecedented success rates.
Arctic Wolf is monitoring what it describes as a widespread campaign. Collectively, these findings suggest attackers are rapidly adopting and evolving the Direct Send phishing playbook—raising the stakes for every Microsoft 365 customer.
Significantly, Microsoft’s mitigation settings are not always enabled by default, leaving many organizations exposed unless they proactively update their policies.
While Microsoft and other vendors race to patch the gaps and roll out improved policy controls, responsibility ultimately rests with organizations to drive quick detection, robust configuration, and a doubly cautious cultural attitude toward all internal communications.
Organizations must now recognize that security is no longer guaranteed by internal senders or familiar addresses. Every email, even one purporting to come from the heart of the enterprise, must be subject to scrutiny. Through technical controls, vigilant configuration, and robust end-user education, businesses can reclaim trust in their communications and minimize exposure to this rapidly evolving threat. Only by acting with urgency can IT and security leaders prevent tomorrow’s attacks from becoming today’s headlines.
Source: Dark Reading | Security https://www.darkreading.com/cyber-risk/phishers-abuse-m365-direct-send-to-spoof-internal-users/
Background: The Anatomy of Modern Phishing
The evolution of phishing attacks has steadily rendered traditional security controls less and less effective. Gone are the days when suspicious links or obvious grammar errors provided conspicuous red flags. Today’s threat actors employ carefully engineered social engineering techniques, sophisticated payload obfuscation, and subtler forms of deception. Now, with the exploitation of Microsoft 365’s Direct Send feature, attackers have found a way to impersonate internal users, sidestepping the protocols designed to catch fake senders before harm is done.How Direct Send Works—and How Attackers Exploit It
Microsoft 365’s Direct Send is designed for convenience. It allows printers, scanners, applications, and other internal systems to send email directly to users in an organization without complicated authentication—just a username and password, in many cases. The purpose is to streamline internal communication from trusted systems, eliminating the roadblocks that can disrupt operational workflows.But this same simplicity is precisely what cybercriminals have turned to their advantage. By identifying the predictable format of a target organization’s Direct Send endpoint, attackers can send emails that Microsoft 365 mistakenly treats as internal—even if they originate from external, sometimes foreign, IP addresses. This critical flaw essentially grants outsiders a pathway to pose as colleagues from human resources, finance, the executive suite, or other trusted roles, dramatically increasing the chance that recipients will fall for the ruse.
Bypassing Key Email Protections: SPF, DKIM, and DMARC
Email authentication protocols such as SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) form the bedrock of most enterprise email security. These mechanisms verify that a message is genuinely from the domain it claims to be, filtering out imposters.However, Direct Send can bypass these safeguards because it labels messages as internal—even when they are not. Since policy-based checks often focus on external sources, spoofed “internal” emails slip through nearly all defenses. Researchers at StrongestLayer observed that these emails evade not just Microsoft Defender but also third-party secure email gateways, as they appear to originate from trusted, inside-the-network sources.
Real-World Incidents: Targeting the Human Element
StrongestLayer’s incident investigation revealed attackers spoofing employees from multiple departments, specifically choosing high-trust roles. The emails crafted using Direct Send were so convincing they bypassed all perimeter defenses. To further obfuscate their trail, attackers used email headers that were either missing or intentionally malformed, making it exceptionally difficult to trace the true origin.The exploitation did not require internal compromise or access to privileged credentials within victim organizations. Attackers simply needed the correct smart host address, a puzzle quickly solved with public information and basic reconnaissance. In some documented cases, malicious emails came from IP addresses in Ukraine and France, yet were accepted as trusted internal traffic in U.S. businesses. The consequences were significant: credential harvesting, malware distribution, and new forms of social engineering achieved unprecedented success rates.
The Scope and Scale of Direct Send Abuse
This is not an isolated phenomenon. Over the past several months, security vendors like Varonis, Barracuda, and Arctic Wolf have tracked multiple phishing campaigns abusing Direct Send across diverse sectors. Varonis has documented attacks on more than 70 organizations. Barracuda, alarmed by the scale of the threat, designated Direct Send abuse as a “huge risk,” noting a sharp increase in campaigns delivering malicious QR codes, PDFs, and HTML attachments that harvest credentials.Arctic Wolf is monitoring what it describes as a widespread campaign. Collectively, these findings suggest attackers are rapidly adopting and evolving the Direct Send phishing playbook—raising the stakes for every Microsoft 365 customer.
Why Are Traditional Defenses Failing?
Inherent Flaws in Internal Trust Models
The heart of the problem lies in how most email systems distinguish internal from external messages. Once a message is labeled as originating inside the organization, security tools often relax their scrutiny. Filtering, quarantine, and other policy controls frequently focus on traffic that crosses the organizational perimeter, not emails that appear to stay within. Direct Send abuse takes full advantage of this flawed trust model, enabling adversaries to launch highly effective attacks from what looks like an internal vantage point.Evasion of Authentication Protocols
With SPF, DKIM, and DMARC rendered ineffective in this scenario, organizations face the stark reality that no amount of careful domain configuration will close the door on Direct Send misuse. Attackers need only to mimic the formatting of legitimate service traffic and slip their emails through, leaving minimal forensic evidence to reconstruct the incursion after the fact.Social Engineering’s New Power
By exploiting internal impersonation, attackers not only bypass technical defenses but also gain unprecedented leverage in social engineering. Recipients are far more likely to trust messages from what appears to be a colleague, especially if the fake sender is in HR, finance, or an executive role. The result is a dramatic rise in successful credential theft, malware infections, and unauthorized access.The Technical Mechanics: How the Attack Works
Understanding Smart Hosts and Direct Send Endpoints
Every Microsoft 365 tenant can configure a “smart host”—essentially, an endpoint address allowing specified systems to deliver email directly to tenant users. Historically, this setup was intended for legacy systems that couldn’t support modern authentication protocols. But threat actors, once they identify or infer the correct smart host address, can simply send emails to this endpoint, and Microsoft 365 will deliver them, unchallenged, as if they were produced by a trusted printer or scheduling app.PowerShell Automation and Foreign Infrastructure
In the incident analyzed by StrongestLayer, attackers used PowerShell scripts from foreign IPs to automate email delivery through the compromised smart host. This level of automation not only streamlines the attack but also obscures the offender’s location and identity, exacerbating the challenge of incident response.What Makes the Phishing Emails Believable
- Emails originate from addresses mimicking or matching internal users
- No external warning banners or quarantine actions are triggered
- Content is tailored to existing workflows or expectations (e.g., “Your HR Form,” “Urgent Finance Review”)
- Malicious payloads are embedded as convincing QR codes, PDFs, or directly in HTML/SVG attachments
Who Is Being Targeted—and Why?
High-Value Sectors
According to StrongestLayer, at least 95% of observed victims are U.S. organizations in financial services, manufacturing, and healthcare. These industries are perennial favorites for cybercriminals due to sensitive data, lucrative extortion prospects, and complex operational requirements that often slow security updates.The “Low Tech, High Impact” Factor
The Direct Send exploitation technique is gaining popularity because it requires relatively little technical preparation but achieves disproportionate results. Anyone who can gather smart host details—a straightforward feat with open-source intelligence—can potentially launch these attacks against thousands of targets with minimal infrastructure investment.Microsoft’s Response: Partial Fixes and Ongoing Risk
Microsoft has publicly acknowledged the Direct Send exploitation risk. In response, it has introduced settings for organizations to apply custom header stamping and new quarantine policies aimed at detecting spoofed internal traffic. While these steps provide some additional barriers, their effectiveness depends on rapid adoption and careful configuration by IT administrators—something that cannot be guaranteed in sprawling, decentralized environments.Significantly, Microsoft’s mitigation settings are not always enabled by default, leaving many organizations exposed unless they proactively update their policies.
Security Community’s Recommendations
Hardening Direct Send Policies
Security experts advise immediate steps for organizations using Microsoft 365:- Enable Reject Direct Send to block unauthenticated emails from non-standard sources.
- Implement strict DMARC enforcement, but recognize its limits against Direct Send abuse.
- Deploy header stamping, inserting a unique identifier into every email sent internally to validate true origin.
- Quarantine or reject messages lacking required header stamps, raising alerts for further investigation.
Strengthening User Vigilance
No technical control is perfect. Ongoing employee training remains critical—users must understand that even internal-looking emails can be risky, especially if they involve unexpected requests for credentials or attachments.Monitoring and Incident Response
Administrators should enhance monitoring to flag unusual activity, such as emails delivered via smart hosts from atypical IP addresses (especially foreign ones), and regularly audit communication patterns for signs of social engineering.Assessing the Risks: Unchecked, This Is a Dangerous Escalation
The rising adoption and success of Direct Send-based attacks present multiple urgent risks:- Stealthy Credential Harvesting: Credential phishing attempts that appear to be internal are less likely to be reported, giving attackers a longer window to exploit stolen information.
- Spread of Malware: Embedded PDFs, QR codes, or HTML payloads can deliver ransomware or remote access tools straight to user inboxes, bypassing sandboxing or external scanning policies.
- Supply Chain Insecurity: Once attackers compromise a single tenant, they may attempt lateral movement to vendors, partners, and customers—using a trusted internal identity as a springboard.
- Forensic Blind Spots: Malicious headers, missing logs, and the internal appearance of traffic make retroactive investigation difficult, impeding response times and increasing recovery costs.
Mitigation: Concrete Steps to Restore Trust
In the face of these challenges, a pragmatic approach is required:1. Audit and Reconfigure Direct Send
Immediately review all systems enabled with Direct Send. Limit endpoints to only those absolutely necessary and use allow-listing by IP wherever possible. Disable the feature entirely for legacy or unsupported devices.2. Tighten Internal/External Email Boundaries
Implement internal segmentation so that even messages appearing to be from inside must pass some authentication checks or contain verified stamps. Consider using additional internal gateways for sensitive departments or high-risk workflows.3. Modernize Employee Awareness Campaigns
Update phishing training programs to specifically include the new dangers of “internal” phishing emails. Teach warning signs even when emails originate from senior staff or critical business units.4. Monitor and Respond Continuously
Adopt automated threat detection tools capable of analyzing message metadata and flagging anomalies across all internal message streams. Ensure that incident response teams are prepared for events where traditional indicators—like SPF failure—may not be present.Looking Ahead: The Future of Email Trust in Cloud Environments
As cloud adoption surges and remote work continues, the line between “inside” and “outside” the enterprise grows ever blurrier. Attackers’ relentless innovation—now typified by exploits against Microsoft 365’s Direct Send—demands an equally adaptive defense posture.While Microsoft and other vendors race to patch the gaps and roll out improved policy controls, responsibility ultimately rests with organizations to drive quick detection, robust configuration, and a doubly cautious cultural attitude toward all internal communications.
Conclusion: Defending Against Impersonation in the Microsoft 365 Era
The abuse of Microsoft 365’s Direct Send feature to spoof internal users marks a pivotal shift in the phishing threat landscape. Armed with little more than basic reconnaissance, today’s cybercriminals can penetrate organizational defenses with unprecedented ease—gaining trust, bypassing authentication, and inflicting real damage.Organizations must now recognize that security is no longer guaranteed by internal senders or familiar addresses. Every email, even one purporting to come from the heart of the enterprise, must be subject to scrutiny. Through technical controls, vigilant configuration, and robust end-user education, businesses can reclaim trust in their communications and minimize exposure to this rapidly evolving threat. Only by acting with urgency can IT and security leaders prevent tomorrow’s attacks from becoming today’s headlines.
Source: Dark Reading | Security https://www.darkreading.com/cyber-risk/phishers-abuse-m365-direct-send-to-spoof-internal-users/
