Cybersecurity researchers have uncovered a sophisticated phishing campaign exploiting Microsoft 365's Direct Send feature to deliver internal-looking emails without authentication. This method allows attackers to bypass traditional email security measures, posing significant risks to organizations.
Microsoft 365's Direct Send is designed to enable devices like printers and scanners to send emails directly through the organization's email infrastructure without requiring user authentication. This feature utilizes a smart host, typically formatted as
For example, attackers have used PowerShell scripts to send emails through the smart host, making them appear as if they were sent by internal users. These messages can bypass standard email security controls because they are routed through Microsoft's infrastructure and lack typical indicators of external threats.
Source: SC Media Microsoft 365 Direct Send leveraged for internal phishing
Understanding Microsoft 365's Direct Send Feature
Microsoft 365's Direct Send is designed to enable devices like printers and scanners to send emails directly through the organization's email infrastructure without requiring user authentication. This feature utilizes a smart host, typically formatted as tenantname.mail.protection.outlook.com, to facilitate internal communications. While intended for convenience, this setup can be exploited if not properly secured.Exploitation of Direct Send in Phishing Campaigns
In recent incidents, attackers have leveraged Direct Send to send spoofed emails that appear to originate from within the targeted organization. By identifying a company's domain and internal email address formats—often accessible through public sources—threat actors can craft emails that seem legitimate. These emails often mimic internal communications, such as voicemail notifications, and include malicious attachments or links designed to harvest credentials.For example, attackers have used PowerShell scripts to send emails through the smart host, making them appear as if they were sent by internal users. These messages can bypass standard email security controls because they are routed through Microsoft's infrastructure and lack typical indicators of external threats.
Detection and Mitigation Strategies
To protect against such abuses, organizations should implement the following measures:- Enable 'Reject Direct Send': Activate this setting in the Exchange Admin Center to block unauthenticated emails that appear to originate from internal domains.
- Implement Strict DMARC Policies: Enforce a strict DMARC policy (e.g.,
p=reject) to prevent spoofed messages from being delivered. - Enforce SPF Hard Fail: Configure SPF records to use a hard fail mechanism (
-all) to block unauthorized senders. - Monitor for Anomalies: Use security information and event management (SIEM) tools to detect unusual email patterns, such as internal addresses sending emails from external IPs or messages originating from unexpected geolocations.
- User Education: Train employees to recognize phishing attempts, especially those involving QR codes (a tactic known as "quishing"), and to exercise caution with unexpected emails and attachments.
- Enforce Multi-Factor Authentication (MFA): Require MFA across all user accounts to reduce the risk of unauthorized access, even if credentials are compromised.
Conclusion
The exploitation of Microsoft 365's Direct Send feature underscores the need for organizations to balance functionality with security. By proactively configuring email settings, monitoring for suspicious activity, and educating users, organizations can mitigate the risks associated with this and similar phishing tactics.Source: SC Media Microsoft 365 Direct Send leveraged for internal phishing
