Protecting Microsoft 365 from Direct Send Email Phishing Attacks

For many organizations, the expectation is that internal communications on their Microsoft 365 tenants are inherently more trustworthy—after all, who would question an authentication-free email from the company’s own domain? Yet a recent investigation by the Varonis Managed Data Detection and Response (MDDR) Forensics team has unveiled a startling weakness in this assumption. Sophisticated attackers are now abusing the Microsoft 365 Direct Send feature to deliver phishing emails that not only bypass common email defenses but also convincingly appear as if they are from coworkers or automated company systems, all without ever needing to compromise a single legitimate account.

Anatomy of the Microsoft 365 Direct Send Exploit​

Microsoft 365’s Direct Send feature is intended to make life easier for employees, allowing devices such as printers or custom applications to send emails to internal users without requiring typical authentication. Technically, this is achieved by allowing messages to pass through a “smart host,” with an address usually formatted as tenantname.mail.protection.outlook.com. These servers are engineered specifically to route internal messages within the tenant, supporting automation and streamlining workflows without necessitating a username or password.
The trouble begins with the realization that this feature’s lack of authentication, while justified for trusted devices and apps, can also open the door for abuse. Attackers can deduce potential target organizations because the smart host naming convention is predictable and public. Armed with a valid domain and a plausible internal address—often easy to find via company websites, LinkedIn, or data breaches—malicious actors can send spoofed messages to any user in the organization. This is not mere theory; over 70 organizations have been victimized using this very method since May of this year, according to Varonis’ detailed analysis.

How the Attack Works: A Step-by-Step Breakdown​

• Reconnaissance: The attacker identifies a target organization’s domain and smart host, for example, acme.mail.protection.outlook.com.
• Construction of Spoofed Emails: Leveraging PowerShell scripts or similar automated tools, the adversary crafts emails that mimic trusted internal notifications—typically missed voicemails or faxes, formats familiar and unthreatening to recipients.
• Inclusion of Malicious Payloads: The emails often carry PDF attachments containing QR codes. Victims scanning these codes with their mobile devices are unknowingly redirected to phishing websites, meticulously designed to harvest Microsoft 365 credentials.
• Delivery: The emails are sent via the Direct Send route, exploiting the lack of sender authentication. Because they are routed internally, they bypass standard security mechanisms, including Microsoft’s own filtering, as well as third-party solutions that rely on traditional sender authentication (like SPF, DKIM, or DMARC).
• Impersonation Without Breach: The messages appear to originate from internal employees or system notifications, lending them immediate credibility.

The sophistication here is not just in the social engineering but also in the technical sleight-of-hand: the attacker does not need to steal any credentials or infiltrate the environment. They use open doors purpose-built for convenience.

Why Traditional Defenses Fail​

The typical first lines of email defense—SPF, DKIM, DMARC—aim to authenticate the sender and block spoofed emails. But the Direct Send channel is an exception. Although spoofed Direct Send emails technically fail these checks, the inner workings of Microsoft 365 treat this traffic as “internal,” so messages are delivered anyway.
Security practitioners will recognize this as a glaring gap: even advanced email security products placed before Microsoft 365 will not see or filter these messages because they never traverse external mail relays. Microsoft’s own header analysis for these emails reveals telltale signs—unusual “Received” fields reflecting external IP addresses and clear indicators of failed authentication. But unless admins actively inspect headers and correlate with behavioral signals, these messages skate through unchecked.

Observable Clues​

Although subtle, there are indicators security teams can hunt for:

• Emails sent from a user to themselves or to uncommon internal aliases.
• Unusual user agents in the message headers, such as those indicating PowerShell or command-line utilities.
• External or unexpected IP addresses appearing in the “Received” header chain—often from geographies unrelated to the organization.
• Attachments—typically PDFs—named in the format ‘Fax-msg’, ‘Caller left VM Message’, or ‘Listen’ with embedded QR codes.
• Subject lines mimicking genuine system notifications, such as:
• “Caller Left VM Message * Duration-XXXX for XXXX”
• “Fax-msg mm/dd/yyyy, hh:mm:ss AM/PM (2 Pages) RefID: XXXX”
• “You have received a new (2 pages) Fax-Msg to email@****”

Real-World Phishing Campaign: Key Artifacts​

The campaign analyzed by Varonis stands out for its precision and breadth. Over 70 organizations were targeted in a matter of weeks, and the forensic footprint matches the technical profile outlined above. Attackers employed PowerShell scripts to automate the generation and dispatch of large volumes of spoofed internal email. The endgame was always credential theft—luring users to phishing sites via QR codes hidden within attachments, and thus evading basic URL detection by security scanners that focus solely on link analysis.
Some of the observed technical indicators (IOCs):

Type	Value/Example	Description
IP Address	139.28.36[.]230	Used to transmit phishing emails
IP Range	139.28.X.X	Multiple IPs employed in campaign
Domains	hxxps://voice-e091b.firebaseapp[.]com <br> hxxps://mv4lh.bsfff[.]es	Phishing landing pages
Email Subjects	“Caller Left VM Message * Duration-XXXX for XXXX” <br> “New Missed Fax-msg (2 pages)”	Imitate internal notifications
Attachments	‘Caller left VM Message’, ‘Listen’, ‘Fax-msg’ (PDFs with QR)	Tricks users into scanning QR codes

These attack elements are crafted, timed, and branded to maximize trust and minimize suspicion—often leading unsuspecting users to willingly submit their credentials on realistic phishing portals.

Why This Exploit Is So Effective​

Several dynamics converge to make this abuse particularly potent:

• Trust by Default: Internal emails are generally trusted by both technological controls and by users themselves. Recipients are primed to accept notice-style attachments without scrutiny.
• Security Blindspot: Most organizations leverage a patchwork of perimeter and in-cloud email security solutions, but none routinely examine the internal pathways exploited by Direct Send.
• Innovative Phishing Lure: By encapsulating the phishing URL within a QR code on a PDF, attackers sidestep conventional detection that focuses on URLs or suspicious file attachments.
• Ease of Execution: The requirements for executing these attacks are minimal—no need for previously compromised credentials, infrastructure, or malware. All that is needed is awareness of Direct Send, the target’s domain, and basic scripting skills.

Broader Implications for Cloud Email Security​

This campaign underscores a hard lesson in cloud security: Features designed with internal convenience in mind may inadvertently create architectural blind spots. As organizations migrate to Microsoft 365 in record numbers, the complexity and interdependence of cloud features like Direct Send become more opaque, even as their potential for abuse increases.
Moreover, Microsoft’s internal routing and tenant-to-tenant trust models grant the implicit assumption that authentication is always present, when in reality, certain “trusted” pathways (such as Direct Send) are fundamentally lacking in pushback against spoofing. This suggests a need for renewed scrutiny of “implicit trust” designed into cloud SaaS platforms.

Risk Management: Effective Detection and Mitigation Strategies​

Security teams cannot afford complacency in the face of evolving phishing threats. Several layered mitigation strategies can meaningfully reduce risk:

1. Disable or Restrict Direct Send​

Where feasible, organizations should disable Direct Send entirely or restrict its use to authorized devices and static source IP addresses. Microsoft now offers the option to “Reject Direct Send” via the Exchange Admin Center—a control administrators should enable by default unless compelling business needs dictate otherwise.

2. Strict Authentication and Policy Enforcement​

• Implement robust DMARC policies—preferably set to p=reject—to block unauthenticated emails at the boundary.
• Enforce a hardfail on SPF (Sender Policy Framework) records within Exchange Online Protection to prevent external sources from spoofing internal addresses.
• Apply granular anti-spoofing policies available within Microsoft 365’s Security & Compliance Center, targeting specifically the abuse of internal domains.

3. Enhanced Detection​

• Flag or quarantine internal emails that fail any authentication checks (SPF, DKIM, DMARC), even if routed internally.
• Analyze message headers for signs of command-line or PowerShell user agents and unexpected sending geolocations.
• Monitor for bursts of internal-to-internal messages, especially those containing unfamiliar attachments or subject lines emulating business process automation.

4. User Awareness and Behavioral Training​

Even the best controls are circumvented when users are not equipped to recognize new threat vectors.

• Conduct regular, targeted security awareness campaigns tailored to modern phishing techniques, including “quishing” (QR-code phishing).
• Emphasize verification steps for unexpected notices received by email—even when supposedly sent from internal systems—especially those requesting credential re-entry.

5. Continuous Review of Configuration and Audit Trails​

• Regularly audit Exchange and Microsoft 365 settings for gaps, especially as features and defaults change.
• Scrutinize audit logs for patterns indicative of abuse (mass messages sent “from” unusual internal accounts, sudden onset of email traffic originating from unique IPs, etc.).

The Cloud Communication Dilemma: Balancing Utility with Security​

The balance between operational convenience and security in cloud communication platforms is delicate. While features like Direct Send solve tangible business challenges (allowing legacy devices and software to participate in streamlined workflows), they can inadvertently provide sophisticated attackers with new, unanticipated vectors.
Microsoft’s rapid adoption means these exposures are not confined to technical edge cases; they are mainstream, affecting businesses large and small. The burden thus falls on IT, security teams, and even end users to recognize that “internal” no longer guarantees “safe.” This is especially urgent as adversaries increasingly exploit social and technical blind spots rather than brute-force the perimeter.
There are, to Microsoft’s credit, paths to robust mitigation. Microsoft 365’s security arsenal has grown rapidly, offering granular policy controls, header-based detection, and user awareness integrations. However, these are only effective if organizations take the initiative to configure them proactively, rather than reactively in the wake of an incident.

What Organizations Should Do Next​

• Assess your current use of Direct Send. Is it truly necessary in its current, often unauthenticated form?
• Audit all devices and apps leveraging Direct Send, restricting usage to only essential, known IP addresses if possible.
• Monitor and Alert on all internal email flows for suspicious origins, message headers indicative of scripting, and attachment patterns linked to new phishing lures.
• Educate your workforce about these emerging threats, focusing on the risks of QR code-based phishing and internal impersonation.
• Engage with Microsoft’s recommended controls, keeping abreast of any new administrative features or hardening guidance released in response to evolving attacks.

Final Assessment: The Road Ahead​

The abuse of Microsoft 365 Direct Send is a textbook example of how cybercriminals turn trusted infrastructure against its users. These campaigns demonstrate that the future of cloud security will demand not only technical vigilance but also a relentless skepticism toward implicit trust, even inside what appear to be secure perimeters.
Organizations must evolve past perimeter-based thinking and adopt an “assume breach” mindset, coupled with automated detection, rigorous policy enforcement, and regular user education. By shining a light on abuse cases such as those revealed by the Varonis MDDR Forensics team, the security community can drive the changes needed to keep Microsoft 365’s convenience from becoming its Achilles’ heel.
The takeaway is clear: Even internal email should be treated as a potential threat vector, regularly scrutinized and subject to strong controls. As phishing and credential theft campaigns become more sophisticated and adaptive, so too must the defenders—from the boardroom to the IT help desk. In today’s cloud-first era, complacency is the true vulnerability.

---

Source: Cyber Press Abuse of Microsoft 365 Direct Send to Send Phishing Emails Impersonating Internal Users