In May 2025, cybersecurity researchers at Varonis Threat Labs uncovered a sophisticated phishing campaign exploiting Microsoft 365's Direct Send feature. This attack has targeted over 70 organizations, with 95% based in the United States, across sectors such as financial services, manufacturing, construction, engineering, healthcare, and insurance. (windowsforum.com)
Understanding the Direct Send Exploit
Microsoft 365's Direct Send feature allows internal devices like printers and scanners to send emails without authentication. While designed for convenience, this feature lacks authentication requirements, making it susceptible to abuse. Attackers can exploit Direct Send by identifying a company's domain and internal email address formats, which are often publicly accessible. Using this information, they craft emails that appear to originate from within the organization, bypassing traditional email security measures. (securityonline.info)
Anatomy of the Phishing Attack
The attackers employ PowerShell scripts to send spoofed emails through the organization's smart host (e.g.,
company-com.mail.protection.outlook.com). These emails often mimic voicemail notifications and include PDF attachments with QR codes. When scanned, the QR codes direct victims to fake Microsoft 365 login pages designed to steal credentials. This method, known as "quishing," leverages QR codes to evade traditional email security filters. (windowsforum.com)Challenges in Detection
Several factors contribute to the difficulty in detecting these attacks:
- Bypassing Security Filters: Since the emails are routed through Microsoft's infrastructure and appear to originate internally, they often bypass spam filters and security policies. (securityonline.info)
- Lack of Authentication Checks: The Direct Send feature does not require authentication, allowing attackers to send emails without credentials. (securityonline.info)
- Sophisticated Social Engineering: The use of QR codes and familiar email formats increases the likelihood of user interaction, making the attacks more effective. (windowsforum.com)
To defend against such attacks, organizations should consider the following measures:
- Disable Direct Send: If not actively used, disable the Direct Send feature via the Exchange Admin Center. (windowsforum.com)
- Implement Strict DMARC Policies: Enforce strict DMARC policies to prevent spoofing of internal domains. (windowsforum.com)
- Configure Exchange Online Protection: Set up Exchange Online Protection to hard-fail SPF checks and use anti-spoofing policies. (windowsforum.com)
- User Education: Educate employees about the risks of QR code phishing and encourage them to verify unexpected emails. (windowsforum.com)
- Enforce Multi-Factor Authentication (MFA): Implement MFA and conditional access policies to protect accounts even if credentials are compromised. (windowsforum.com)
The exploitation of Microsoft 365's Direct Send feature underscores the evolving tactics of cybercriminals. By understanding the mechanics of these attacks and implementing robust security measures, organizations can better protect themselves against such sophisticated phishing campaigns.
Source: Hackread Scammers Use Microsoft 365 Direct Send to Spoof Emails Targeting US Firms