Cybercriminals have ramped up efforts to exploit Microsoft 365’s Direct Send feature and unsecured SMTP relays, launching sophisticated phishing campaigns that masquerade as internal company emails—placing even vigilant organizations at substantial risk. According to recent research by Proofpoint, attackers are leveraging trusted cloud infrastructure to inject malicious messages directly into employee inboxes, camouflaged as legitimate business communications. This new technique is insidious because it manipulates an often-overlooked email configuration setting, making fraudulent messages appear as though they originate from a trusted coworker or an internal department. The result: traditional security layers are bypassed, and the organization’s foundational trust is threatened—turning a convenience into a vulnerability.
The recent wave of phishing attacks targeting Microsoft 365 users capitalizes on both the power and limitations of built-in management features designed for enterprise efficiency. Direct Send, a tool widely used for functions such as networked printers or automated systems to email scanned documents or notifications without authentication, has become a backdoor for cyber threat actors. While Direct Send’s intention is to streamline workflows within companies, its lack of mandatory password protection when configured incorrectly gives hackers an attractive attack vector.
At the heart of this exploitation is the manipulation of SMTP relays: third-party email agents responsible for forwarding emails between servers. When these relays are misconfigured and exposed with weak or expired security certificates, they become gateways for fraudulent messages that seemingly originate from within a company’s digital perimeter.
This relay misuse creates two key advantages for the attackers:
The risks extend beyond data theft:
Future campaigns are expected to grow in both volume and sophistication as:
Tools designed to make business smoother can, without vigilant oversight, become double-edged swords. Even with multi-million dollar security investments, one overlooked SMTP configuration can undermine an organization’s entire digital defense.
Source: Hack Read Hackers Abuse Microsoft 365 Direct Send to Send Internal Phishing Emails
Background
The recent wave of phishing attacks targeting Microsoft 365 users capitalizes on both the power and limitations of built-in management features designed for enterprise efficiency. Direct Send, a tool widely used for functions such as networked printers or automated systems to email scanned documents or notifications without authentication, has become a backdoor for cyber threat actors. While Direct Send’s intention is to streamline workflows within companies, its lack of mandatory password protection when configured incorrectly gives hackers an attractive attack vector.At the heart of this exploitation is the manipulation of SMTP relays: third-party email agents responsible for forwarding emails between servers. When these relays are misconfigured and exposed with weak or expired security certificates, they become gateways for fraudulent messages that seemingly originate from within a company’s digital perimeter.
How the Attack Works
Exploiting Direct Send
Attackers initiate the scheme by connecting to a compromised or poorly protected computer—frequently a server running Windows Server 2022. From this platform, they orchestrate the delivery of phishing emails using Direct Send. Critically, Direct Send allows the origin server to push out emails without any proof of identity, as the feature was never designed for interactive user authentication.SMTP Relay Abuse
The attackers route these messages through unsecured third-party email security appliances set up as SMTP relays. These appliances—originally intended to provide an added layer of defense, traffic management, or archival—are instead exploited due to open communication ports (such as 8008, 8010, and 8015). Many of the relays bear expired or self-signed SSL certificates, further undermining their integrity.This relay misuse creates two key advantages for the attackers:
- The ability to bypass external IP-level filtering and traffic monitoring
- The chance to manipulate message metadata, making emails masquerade as intra-organizational missives
Crafting Believable Messages
To maximize the social engineering component, phishing emails are carefully tailored to align with common business communications. Subject lines such as “task reminders,” “wire authorizations,” or “voicemails” are deployed to prompt recipients into immediate action. These deceptive touches exploit cognitive shortcuts, leveraging urgency and authority—two key principles in phishing psychology.Evading Security Controls
Despite detection engines like Microsoft’s built-in security flagging some of these messages as potential spoofs, the abuse of valid infrastructure and certificates often allows them to slip through, landing in users’ junk or quarantine folders rather than being outright blocked. Inboxes with poorly configured spam filters or low awareness users remain especially vulnerable.The Evolution of Trusted Cloud Exploitation
Cloud platforms like Microsoft 365 have become indispensable to business operations, powering communication, document sharing, and collaborative workflows. Their widespread adoption, however, makes them prime targets for abuse. Attackers increasingly favor these platforms because:- They are inherently trusted by users and security controls alike
- Their complex feature sets can have hidden or poorly understood configurations
- The cloud’s shared-responsibility model can lead to gaps in user-side security diligence
Anatomy of a Successful Attack: Step by Step
- Attacker Access: The perpetrator gains access to an external or internal server, frequently via brute force attacks or credential theft.
- SMTP Relay Identification: Hackers actively scan for exposed or insecure email security appliances with available listening ports.
- Message Injection: Emails are injected into the relay, with headers spoofed to mimic genuine company addresses or internal aliases.
- SSL Certificate Presentation: While some appliances present valid DigiCert SSL certificates, many rely on outdated or self-signed credentials.
- Credibility Cloak: The use of legitimate business language and apparent organizational origin increases the odds of user interaction.
- Security Evasion: The message traverses existing filters by exploiting implicit trust in internal sending infrastructure.
- Phishing Payload Delivery: The recipient, believing the email to be authentic, clicks on embedded links, downloads attachments, or provides sensitive information—often launching further compromise phases.
Organizational Risk: Trust and Reputation at Stake
This campaign exemplifies a broader, systemic issue: the erosion of trust foundational to modern digital communication. Exploiting internal-looking messages undermines security awareness training, which often encourages users to trust intra-company communications and only second-guess messages from unknown senders.The risks extend beyond data theft:
- Credential Harvesting: Successful phishing can lead to compromised accounts, facilitating further attacks both within and beyond the original victim organization.
- Reputation Damage: When attackers use a company’s own domain to perpetrate fraud, client and partner trust may be irreparably harmed.
- Compliance Impact: Breaches involving sensitive data invite regulatory scrutiny—including GDPR, HIPAA, or other regional mandates.
Why Microsoft 365's Direct Send is a Target
Simplicity Breeds Exploitation
Direct Send was designed for seamless device-to-inbox workflows. Its strength—eliminating the need for per-device credentials—quickly becomes a liability in the absence of proper network segmentation, authentication controls, and ongoing certificate hygiene.Configuration Complexities
Managing Microsoft 365 environments can involve hundreds of individual settings, many with legacy or "default allow" postures. IT departments may unwittingly leave Direct Send open on network segments accessible from the wider internet, particularly in hybrid on-premises/cloud scenarios where legacy devices are still used.Invisibility to End-Users
Because Direct Send is a back-end infrastructure feature, end-users are seldom aware of its existence—making it harder to detect when it is being abused. Security operations teams, overwhelmed with alerts, may overlook the subtle clues of internal message spoofing when the infrastructure itself is producing the messages per expected protocols.Defensive Measures: Strengthening Email Security
Audit and Harden SMTP Configurations
Regularly reviewing all SMTP relay points, particularly those associated with third-party security appliances, is non-negotiable. Administrators should:- Lock down open relay settings
- Enforce strong, valid SSL certificates
- Restrict communication ports to only those absolutely essential
Disable Direct Send Where Unnecessary
Organizations that do not require Direct Send for critical workflows should disable it outright. Alternatives incorporating authenticated SMTP submission (using modern MFA-backed credentials) offer similar functionality with added security.Implement Robust Email Authentication
The foundation of email authentication rests on protocols like SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance). Proper configuration ensures that incoming email is cryptographically validated as coming from approved sources.Enhance User Training and Awareness
Security education programs must evolve to address the nuanced shift in phishing tactics. Users should be trained to:- Remain vigilant for unexpected requests, even from apparent internal addresses
- Verify business-critical requests through secondary channels
- Report suspicious messages, regardless of sender identity
Leverage Advanced Threat Detection
Modern email security suites offer heuristic and AI-driven detection, capable of identifying abnormal internal traffic patterns and flagging anomalies—even when delivered through legitimate channels.The Changing Landscape of Cloud-Based Phishing
This wave of Microsoft 365-based exploitation demonstrates that attackers are matching—or outpacing—enterprise adaptation in cloud environments. The shift to hybrid and fully remote work arrangements has expanded the attack surface, increased reliance on always-on cloud features, and made traditional perimeter-based defenses less effective.Future campaigns are expected to grow in both volume and sophistication as:
- Toolkits to automate phishing using Direct Send and SMTP vulnerabilities circulate on underground forums
- Attackers chain vulnerabilities, combining social engineering with zero-day exploits and credential theft
- Organizations lag in continuous cloud configuration monitoring
What Security Teams Must Do Now
Given the rapid evolution of tactics, defenders must shift from reactive to proactive stances. This includes:- Continuous Monitoring: Deploy solutions that monitor email flows within and across the organization, alerting on suspicious patterns.
- Zero Trust Principles: Treat all communication, regardless of origin, with skepticism until thoroughly validated.
- Regular Penetration Testing: Engage specialists to simulate internal and external phishing using the latest techniques to assess both technical and human vulnerabilities.
- Security Posture Reviews: Frequently audit all feature use, roles, and permissions within the Microsoft 365 suite—disabling or constraining any function not explicitly needed for business continuity.
The Strategic Risk of Trusted Feature Abuse
Trust remains at the core of digital relationships—both between coworkers and with technology platforms. Attackers exploiting features like Direct Send capitalize on this trust, shifting the balance in their favor. For organizations, this means an urgent need to reconsider what is implicitly trusted within their cloud environments.Tools designed to make business smoother can, without vigilant oversight, become double-edged swords. Even with multi-million dollar security investments, one overlooked SMTP configuration can undermine an organization’s entire digital defense.
Conclusion
The abuse of Microsoft 365’s Direct Send feature and unsecured SMTP relays marks a new frontier in internal phishing threats, where attackers cleverly disguise themselves as trusted insiders. The campaign exposed by Proofpoint is not merely a matter of technical flaw, but a challenge to the trust-based model upon which modern business collaboration is built. Responding effectively requires not only technical expertise but also a strategic cultural shift—where trust is continually tested, and cloud configurations are treated as living entities demanding constant attention. Organizations that heed these lessons will be equipped to withstand the evolving landscape of cloud-enabled cyber threats; those that do not risk being the next front-page victim of digital deception.Source: Hack Read Hackers Abuse Microsoft 365 Direct Send to Send Internal Phishing Emails
