Mitigating Risks of Microsoft 365 Direct Send: Security Best Practices for Enterprises

Hackers continue to evolve their tactics, and with sophisticated attacks targeting even the most mature enterprise technology stacks, the recent exploitation of Microsoft 365’s Direct Send feature underscores the persistent cat-and-mouse game between IT teams and cybercriminals. Direct Send, a capability originally built into Microsoft 365’s Exchange Online ecosystem, was intended as a practical solution for business operations—specifically, to let multifunction printers, scanners, and select on-premises applications deliver emails directly through the organization’s domain. However, as highlighted by a well-documented wave of attacks and recent advisories, this feature has proven to be a double-edged sword.

Understanding Direct Send and Its Legitimate Purpose​

Direct Send has been a fixture of Microsoft 365’s Exchange Online services, providing a direct communication channel between on-premises hardware or legacy applications and the organizational email infrastructure. The primary use case? Devices like copiers or document scanners that need to send scanned files as email attachments—not from random third-party addresses, but from the corporate domain itself.
When properly implemented, Direct Send offers convenience and an audit-friendly way for organizations to centralize their outbound device email traffic. For example, a digital scanner configured with Direct Send pushes a scan directly to the intended recipient’s inbox, bearing the familiar organizational address. There is no need for per-device mailboxes or complex SMTP relay setups: the scan comes from "scanner@company.com," not a suspicious generic sender.

The Security Weakness Exposed​

Unfortunately, the very strengths that make Direct Send useful—trusted sender identity, ease of configuration for device admins—are precisely what adversaries are exploiting in the wild. In the latest attacks first reported by BleepingComputer and further analyzed by security firms such as Varonis, threat actors have latched on to this little-known feature to orchestrate sophisticated phishing schemes targeting Microsoft 365 customers.
By leveraging improperly secured Direct Send setups, attackers craft malicious messages that seem to originate from genuine corporate email addresses. Recipients, conditioned to trust messages from internal senders—especially those mimicking routine business functions—are more likely to interact with such emails. In the incident wave disclosed since May 2025, over 70 organizations (mainly in the United States) reportedly fell prey, with emails often containing links to counterfeit Microsoft forms. When unsuspecting recipients enter their credentials, attackers instantly harvest valuable usernames and passwords.

The Attack Flow in Brief​

• Hackers Identify Vulnerable Direct Send Configurations: Typically, these are organizations that have not fully restricted which devices or IPs can use Direct Send, or those with legacy "smart host" setups exposed to the internet.
• Spoofed Emails Are Sent: The attacker crafts messages bearing legitimate sender headers; the domain and address appear authentic because they are routed through the company’s own email system.
• Phishing Lure Delivered: Links in these emails led to visually convincing but malicious Microsoft login forms or faux SharePoint/OneDrive pages.
• Credentials Harvested: Once credentials are entered, attackers capture them and can move laterally through the organization.

What elevates the risk profile is a fundamental anti-phishing principle: the more “believable” a message, the harder it is for security gateways—and humans—to detect the ruse. Direct Send abuses bypass many external warnings and allow for a higher rate of initial compromise.

Microsoft’s Stance and Guidance​

Microsoft’s official documentation has long cautioned that Direct Send should only be used by organizations prepared to accept the operational burden of “email server admin” responsibilities. The tech giant emphasizes that, while Direct Send can be secure, its safety depends entirely on rigorous configuration discipline.
A Microsoft spokesperson stated: “We recommend Direct Send only for advanced customers willing to take on the responsibilities of email server admins.” This is more than a disclaimer; it reflects a known friction point in enterprise IT, where convenience and security are perpetually in tension.
Microsoft’s core recommendations for using Direct Send securely include:

• Restricting access to the SMTP endpoint by both IP and device.
• Configuring authenticated relay, where possible, over Direct Send.
• Monitoring email flow logs for suspicious device activity and unauthorized source IPs.
• Deactivating anonymous relay options whenever possible.

Notably, Microsoft responded to the uptick in attacks by rolling out new controls in April 2025. Chief among them is the “Reject Direct Send” setting, now available in the Exchange Admin Center. When enabled, this control can block emails sent from devices or apps that use Direct Send, significantly tightening the attack surface—provided administrators actively turn on the feature.

Varonis Security Analysis: Anatomy of a Live Attack​

Security firm Varonis, among others, has dissected real-world phishing incidents exploiting Direct Send. Their threat research highlighted two key attack vectors:

• Compromised On-Premises Devices: Attackers gain access to insecure network devices and co-opt them to send phishing emails. Because these devices are “trusted” by the email server, their output flows directly to recipients’ mailboxes, with little in the way of authentication challenge.
• Open SMTP Smart Hosts: Misconfigured smart hosts (SMTP relays) exposed to the internet allow practically any sender with knowledge of the endpoint to dispatch spoofed email using the organization’s domain.

An example cited by Varonis described an attacker who sent a “shared document” notification to employees, complete with a branded Microsoft 365 theme. The attached link redirected to a meticulously crafted fake Microsoft login screen. In several observed campaigns, multi-factor authentication (MFA) was not enabled, allowing the attacker immediate access after obtaining credentials.

Who’s Been Targeted?​

Analysis indicates that affected organizations span manufacturing, healthcare, financial services, and education. The common denominator: hybrid environments where legacy on-premises tech is “bolted on” to cloud services, often with insufficient segmentation or policy controls.

Critical Review: Are the Risks Overstated?​

It’s tempting to label Direct Send as a security “loophole,” but such a claim requires nuance. Like many enterprise tools, Direct Send is not inherently dangerous; its risk arises primarily from deployment hygiene and the organization’s appetite for maintaining older workflows that predate widespread adoption of cloud-first principles.

Strengths of Direct Send​

• Operational Simplicity: Direct Send fills a niche for organizations with critical business workflows tied to on-premises equipment that cannot be easily migrated to the cloud.
• Maintains Organizational Branding: Device-generated emails appear professional and trusted, marked by the organization’s official domain.
• Reduces Licensing Requirements: Organizations do not need to assign separate mailboxes or user licenses to each scanner, copier, or legacy app.

Notable Weaknesses​

• Weak Default Security Posture: Legacy configurations are often permissive by default, making them tempting targets.
• Lack of Sender Authentication: Email from internal devices is trusted as “internal,” even if the device itself is compromised.
• Lateral Movement Opportunities: Once credentials are harvested, attackers may bypass additional security layers if MFA is not universally enforced.
• Absence of Built-In Alerts: Direct Send exploits may evade both technology-based alerts (since the address/domain is “known”) and end-user suspicion.

Security experts widely agree: the core risk is not with the architecture, but in the prevalence of defaults, legacy systems, and understaffed IT teams treating device email configuration as a one-off project, never to be revisited. In this environment, the lack of ongoing auditing and monitoring is a bigger issue than the feature itself.

Protecting Your Organization: Practical Steps​

With awareness of the threat at a high, especially in light of recent coverage by PCWorld, BleepingComputer, and threat research labs, what should organizations be doing today to safeguard themselves?

1. Audit All Direct Send Configurations​

• Inventory every device, application, and SMTP relay using Direct Send.
• For each instance, document the allowed sender addresses and identity verification mechanisms in place.

2. Apply the “Reject Direct Send” Policy​

• In Exchange Admin Center, enable the new “Reject Direct Send” control to prevent unauthorized senders from leveraging Direct Send for phishing.
• Regularly review Microsoft’s security advisories and update policies with the latest recommendations.

3. Restrict Access as Tightly as Possible​

• Use IP allow-listing for SMTP endpoints.
• Require device authentication where possible.
• Remove or disable legacy relay connectors that are no longer in use.

4. Implement Organization-Wide MFA​

• Make multi-factor authentication mandatory for all users, including those accessing email from nonstandard apps and devices.
• Monitor for non-MFA logins as a warning sign for possible configuration gaps.

5. Monitor and Alert on Suspicious Outbound Mail​

• Configure mail flow rules to detect and quarantine emails sent en masse from single devices or accounts.
• Enable mailbox auditing and review logs for signs of compromised infrastructure.

6. User Education and Internal Awareness​

• Train employees to be cautious, even with emails that appear genuinely internal.
• Emphasize the risk of credential phishing, even from familiar sender addresses.

7. Decommission or Update Legacy Devices​

• Where feasible, replace or reconfigure outdated devices and software that cannot be secured using modern authentication models.

How Effective is “Reject Direct Send”?​

The addition of the “Reject Direct Send” setting is a meaningful leap forward, as it provides organizations with a clear, enforceable mechanism to prevent common abuses of this feature. However, security experts caution that its efficacy depends on adoption. As with any new setting, inertia and lack of awareness could lead to continued risks if organizations fail to act. Early reports from admins who have implemented the setting suggest it does not disrupt legitimate workflows when device whitelisting is properly handled—however, enterprises with poorly documented device inventories may initially experience disruptions until all “legit” senders are correctly identified and permitted.
It’s worth noting that the mere existence of the control is not a silver bullet. The sophistication of attackers means that organizations must remain vigilant across all aspects of their mail infrastructure.

Looking Forward: The Future of Hybrid Email Security​

The Direct Send incident is only the latest reminder of the challenges inherent in maintaining secure, hybrid cloud/on-premises environments. As more organizations blend cloud-first strategies with legacy on-premises tech, the potential for “gray zones” of security increases. These are the places where policy, technology, and human behavior intersect—and where adversaries are adept at probing for weakness.
Microsoft is likely to continue investing in features that harden Exchange Online and its interoperability with on-premises devices, and many third-party security vendors are stepping up with anomaly detection and device management solutions.

Recommendations for Microsoft​

Security researchers encourage Microsoft to:

• Increase default security settings for new Exchange Online tenants to disable Direct Send unless explicitly required.
• Offer wizard-driven policy templates for common scenarios (e.g., “scanner email” mode vs. “general relay”), making secure configuration the path of least resistance.
• Expand device identity and telemetry features in Exchange Online to help admins continuously verify and audit non-human mail senders.
• Provide more fine-grained logging and explainable alerts when device behavior changes (e.g., a device that’s never sent external mail suddenly does so).

Conclusion: Balancing Usability and Vigilance​

No technology solution is entirely immune from exploitation—especially in large, distributed organizations with complex IT environments. The Direct Send abuse scandal reveals how attackers leverage trusted infrastructure for damaging social engineering campaigns. While some have called for its wholesale retirement, the reality is more complex: business needs often force continued reliance on legacy connectors and devices, making “rip and replace” strategies impractical.
Ultimately, the incident highlights three enduring truths in cybersecurity:

• Features designed for operational flexibility often become risk vectors without continuous re-evaluation.
• User training, strong authentication policies, and vigilant monitoring remain essential, even in the most trusted parts of the IT environment.
• New security controls, such as “Reject Direct Send,” are powerful only when applied with discipline and understood in the broader context of organizational risk management.

For IT teams, the imperative is clear: treat every system, no matter how “internal” or “benign,” as a potential attack vector. Document, restrict, and monitor—because in the age of credential harvesting and advanced phishing, it no longer matters if the email looks trustworthy. Only rigorous, proactive security practices can close the gaps created by convenience-driven features like Direct Send.

---

Source: PCWorld Warning! This Microsoft 365 feature can be used to steal your passwords