Mitigating Microsoft 365 Direct Send Phishing Attacks: Strategies & Insights

Microsoft 365 has long positioned itself as a secure, enterprise-grade communication and productivity suite, trusted by thousands of organizations worldwide. Yet, as threat actors grow in sophistication, even the most well-intentioned features can be cleverly subverted to bypass traditional security controls. A recent campaign uncovered by the Varonis Managed Data Detection and Response (MDDR) Forensics team shines a harsh light on just such a scenario, exploiting Microsoft 365’s “Direct Send” functionality to deliver highly convincing phishing emails, often masquerading as internal communications.

The Mechanics Behind the Attack​

At the foundation of this newly discovered phishing campaign is the “Direct Send” feature within Microsoft 365. Originally designed to streamline internal communications—allowing devices like multi-function printers and applications within an organization’s tenant to distribute notifications without requiring standard authentication—Direct Send is now being wielded as a dangerous weapon in the hands of cybercriminals.
Rather than compromising user accounts or hacking into systems, attackers have realized that they can exploit publicly exposed tenant smart host addresses (such as tenantname.mail.protection.outlook.com). By leveraging these endpoints and mimicking the email formats of legitimate internal users, threat actors have managed to send spoofed emails that appear to come from within the organization. Because these messages are routed internally—without any external handoff or relay—they often dodge the perimeter defenses and reputation-based filtering that most organizations rely on to identify phishing attempts and malicious payloads.

Why Direct Send?​

Direct Send’s primary purpose is convenience. With no need for username and password authentication, it enables seamless application-driven emails within an organization. For example, a networked printer alerting staff to low toner, or an application dispatching workflow notifications. However, its lack of authentication is precisely the Achilles’ heel now being exploited, as external actors can spoof the “From” address as a trusted insider.

Step-by-Step: How the Attack Unfolds​

• Reconnaissance: Attackers scour publicly available sources such as breached data, LinkedIn employee directories, and company websites to assemble lists of valid internal email addresses and identify the relevant Direct Send smart host for the target organization.
• Delivery Mechanism: Using automated tools like PowerShell or SMTP scripting, attackers structure their messages to mimic the organization’s typical internal communications. The “From” field is forged to impersonate a known colleague, manager, or generic internal service.
• Abuse of the Smart Host: Messages are sent directly via the Microsoft 365 smart host, which—absent strict controls—accepts these unauthenticated relays and processes them as internal-to-internal mails.
• Bypassing Security: Because the emails originate and reside within Microsoft infrastructure and lack telltale signs of external delivery, standard filtering mechanisms (including SPF, DMARC, DKIM checks, and even advanced third-party gateway solutions) often fail to trigger. The emails land in users’ inboxes, appearing as innocent internal alerts or requests.
• Payload and Social Engineering: The phishing emails typically contain PDF attachments or links. For instance, Varonis reports examples where fake “voicemail” or “fax” notifications coax users to open attachments containing QR codes. Scanning these codes redirects victims to convincing credential-harvesting websites that mimic the Microsoft 365 login page.

Technical Artifacts: What Makes This Threat Hard to Catch​

Varonis’ forensic deep dive exposed several telling characteristics shared by these campaign emails:

• Header Anomalies: Even though the emails are routed internally, header analysis reveals external IP origins (notably, a cluster within the Ukrainian IP block 139.28.36.0/24).
• Failed Authentication: Since the emails are sent without authentication, SPF and DMARC checks typically fail, and there is no valid DKIM signature. Yet, peculiarly, Microsoft’s infrastructure still processes and delivers these messages as internal.
• Scripting Behavior: Some emails are identified with user agents indicative of automation or scripting (e.g., PowerShell), suggesting industrial-scale phishing rather than opportunistic attacks.

These subtleties, combined with the emails' internal origin and seemingly legitimate subject lines—such as “Caller Left VM Message” or “New Missed Fax-msg”—render them staggeringly effective at tricking unsuspecting employees.

Indicators of Compromise (IOCs) and Campaign Scope​

Varonis and cybersecurity outlets tracking this campaign have shared a trove of IOCs to assist blue teams in detection and triage efforts:
The campaign, active since May 2025, has already impacted over 70 organizations, with a heavy focus on US corporations, according to Varonis’ incident response records.

Security Industry Response​

This Direct Send exploit raises difficult questions for both Microsoft and the wider information security community. Traditionally, much emphasis has been placed on authenticating the sender's identity and assessing sender reputation. However, attacks that abuse internal channels to bypass these checks expose a fundamental blind spot.

Microsoft’s Position and Recommendations​

Microsoft, quick to acknowledge and respond to early reports, now urges all Exchange administrators to:

• Enable “Reject Direct Send”: Available in the Exchange Admin Center, this setting will reject emails sent via Direct Send that do not emanate from authenticated or allowed sources.
• Implement Strict DMARC with p=reject: While not a silver bullet in this context, a rigorous DMARC policy can reduce successful forgery if combined with other controls.
• Enforce SPF Hardfail: By mandating ‘-all’ in SPF records and ensuring only authorized IP ranges are allowed, organizations can limit the scope of valid senders.
• Static IP Enforcement: Microsoft further recommends requiring static IP addresses for smart hosts to enable better control and auditing.
• User Awareness and Anti-Quishing Training: The prevalence of “quishing”—phishing via QR codes—underscores the urgent need for user training, especially for attacks that pivot from email to mobile device interaction.

Efficacy and Limitations of Current Defenses​

Even advanced third-party email security solutions, which rely heavily on sender reputation, external relay detection, or DKIM/SPF validation, have largely failed to consistently identify these internally routed threats. Most products were built on the assumption that internal means trusted—a premise that attackers have now demonstrated is dangerously outdated.
Moreover, behavioral-based detection—monitoring for abnormal geolocations or user agents—offers some promise but requires deep integration, baselining, and potentially raises privacy concerns.

Critical Analysis: Balancing Convenience and Security in Microsoft 365​

Notable Strengths​

• Flexible Infrastructure: Direct Send remains an efficient method for non-interactive devices and services to communicate internally without embedding complex authentication strings into printers or legacy devices—an undeniable administrative convenience.
• Microsoft’s Transparency: MSFT’s prompt response to the issue and their willingness to document and push best-practice mitigations have enabled many affected organizations to take swift remedial action.
• Community Collaboration: The publication of IOCs and threat intelligence by Varonis and security news outlets such as GBHackers has dramatically increased industry awareness and facilitated a swift response by incident response teams.

Potential Risks and Lingering Gaps​

• Assumed Trust Model: The main driver of this exploit is an architectural assumption: that anything sent internally must be benign. Unless organizations review and adapt to the evolving threat landscape, this misplaced trust will continue to provide a convenient cloak for attackers.
• Awareness and Configuration Lag: Many IT teams, especially in mid-sized or under-resourced organizations, are unaware of Direct Send’s risks or the need to proactively configure rejection and logging policies. This lag between threat discovery and real-world configuration change is a critical window for attackers.
• Potential for Lateral Movement: Although this particular campaign is focused on phishing and credential harvesting, sophisticated adversaries—having succeeded in compromising one set of credentials—could parlay their access into broader lateral movement, potentially accessing highly sensitive internal resources.
• Quishing on the Rise: The shift to QR code-based phishing (or “quishing”) is particularly insidious. Messages bypass endpoint detection, and mobile devices—often outside the reach of traditional security monitoring—become the new battleground.

Recommendations for Defenders​

A multi-layered strategy is essential to mitigate Direct Send abuse and similar threats. Consider the following blue team playbook:

Technical Controls​

• Audit Direct Send Usage: Regularly audit tenant-wide usage of Direct Send to identify devices and applications that currently depend on it. Disable where not strictly necessary.
• Implement “Reject Direct Send”: Use this Exchange Admin Center setting to block all unauthenticated direct sends, except for a strict allowlist.
• Strengthen SPF and DMARC: Move to ‘hardfail’ with SPF (-all) and set DMARC to p=reject to suppress spoofed external messages.
• Geo-Location and User-Agent Monitoring: Flag emails exhibiting anomalous IP origination or the use of scripting-based user agents for additional scrutiny.
• Attachment and Link Sandboxing: Deploy automated analysis for attachments and embedded QR codes to detect and quarantine suspicious content before delivery.

User Awareness​

• Security Training: Regularly update employee training modules, focusing on emerging attack vectors like quishing, QR code safety, and recognizing subtle changes in email tone or content.
• Simulated Phishing: Run periodic, realistic phishing simulations to test and reinforce user vigilance, tracking both click rates and reporting rates.

Incident Response​

• IOCs Watchlisting: Integrate all known IPs, domains, subject lines, and attachment patterns from ongoing campaigns into your SIEM and email security tooling.
• Compromised Credential Response: If user credentials are suspected to be compromised, enforce password resets and revoke all active sessions. Deploy conditional access policies to limit account abuse.

Looking Forward: The Imperative for Proactive Defense​

Direct Send’s exploitation is a lesson in how convenience features can turn into nightmare vectors if not handled with continuous vigilance and adaptation. As more business operations move to cloud and hybrid environments, threat actors will continue identifying and abusing inherent trust boundaries. Enterprise defenders must shed the binary mindset of “internal good, external bad,” recognizing that today’s attackers excel at blending in.
The case of Microsoft 365 Direct Send is a stark reminder: security is iterative. Safeguarding tomorrow’s digital workplace demands constant reassessment of legacy assumptions, an embrace of zero-trust principles, and a culture of rapid response and user education.
By closing the Direct Send loophole and adopting holistic, proactive defense tactics, organizations can not only blunt the immediate risk of spoofed internal phishing but also shore up their broader cloud collaboration defenses against a rapidly evolving adversary ecosystem.

---

Source: GBHackers News Exploitation of Microsoft 365 Direct Send to Deliver Phishing Emails as Internal Users