Protecting Microsoft 365 from Internal Phishing via Direct Send Exploits

  • Thread Author
Threat actors are increasingly exploiting Microsoft 365’s Direct Send feature to conduct highly convincing internal phishing campaigns, eroding trust within organizations and challenging the efficacy of traditional security defenses. This emergent attack vector, recently highlighted by Proofpoint and other leading research groups, demonstrates the evolving sophistication of cyber adversaries as they target cloud communications infrastructure. As Microsoft 365 cements its role as the backbone of modern enterprise collaboration, awareness and mitigation of this vulnerability are critical priorities for CISOs and IT security teams worldwide.

Understanding Direct Send in Microsoft 365​

Microsoft 365’s Direct Send feature was originally introduced to support the unauthenticated relaying of emails from on-premises devices and legacy systems—such as printers, scanners, or custom business applications—directly to corporate inboxes. This means that certain devices, without the need for standard user authentication, can transmit messages inside the organization if properly configured. Administrators have generally relied on this mechanism to facilitate business processes, particularly in environments with mixed or aging technology stacks.
However, the very nature of Direct Send—allowing unauthenticated delivery based on IP and connection trust rather than credential verification—presents a structural risk when not secured rigorously. Inadequate oversight or misconfiguration can leave a door open for malicious actors to impersonate legitimate internal users, sending spoofed messages that appear wholly credible to unsuspecting employees.

Anatomy of a Sophisticated Phishing Campaign​

Proofpoint researchers have identified a persistent campaign leveraging the Direct Send feature in conjunction with unsecured third-party email security appliances. The attackers’ delivery chain can be broken down as follows:
  • Initial Access: Adversaries gain RDP access (typically on port 3389) to virtual hosts running Windows Server 2022. These servers, often observed on infrastructure leased by virtual private server (VPS) providers, are controlled by attackers and configured to initiate outbound mail sessions.
  • Relay Exploitation: The attackers identify and utilize Internet-exposed, third-party SMTP relay appliances as their launching pad. These relays, frequently under-protected and sometimes operating with expired or self-signed SSL certificates, take instructions from authenticated connections or even misconfigured anonymous logins.
  • Email Injection: From these relays, attackers send phishing emails using spoofed internal sender addresses. The emails traverse legitimate SMTP channels, sometimes bearing valid DigiCert SSL certificates and supporting modern encryption protocols such as STARTTLS and AUTH PLAIN LOGIN—further blending with normal business traffic.
  • Delivery to Microsoft 365 Users: These messages are deposited directly into internal mailboxes. Despite authentication failures (SPF, DKIM, DMARC mismatches, or suspicious “compauth=fail” flags in email headers), many messages still bypass front-line defenses and land in user inboxes or, at best, junk folders. The apparent internal origin makes them far more believable than generic external spam.

Why These Attacks Succeed​

The critical factor underpinning success is trust: emails that look like internal notices—task assignments, wire transfer requests, urgent business reminders—routinely bypass psychological skepticism and security training. Even savvy users are more likely to trust what appears to be a message from an internal department head or payroll coordinator, especially when presented without obvious warning flags. The use of familiar topics (such as voicemail notifications or invoice approvals) and formatting further increases the likelihood of engagement and, ultimately, compromise.
Another key enabler is the abuse of legitimate cloud infrastructure. By routing messages through trusted and certified relay appliances—albeit misconfigured—attackers evade many traditional security tools that rely on blacklists, anomalous sender reputation, or known malicious IP detection. The exploitation of Direct Send thus exemplifies the broader trend of attackers co-opting cloud and SaaS features to mask malicious activity as ordinary business conduct.

Indicators of Compromise (IOCs) and Technical Details​

Organizations seeking to defend against this campaign should watch for several markers that may indicate compromise or attempted intrusion. Based on current reporting, the following attacker infrastructure and artifacts have been observed:
Indicator TypeValueDescription
Self-Signed SSLCN=WIN-BUNS25TD77JUsed by attacker-controlled Windows Server 2022 hosts
IP Address163.5.112.86Attacker-controlled host for initiating SMTP connections
IP Address163.5.160.28Ditto
IP Address163.5.160.119Ditto
IP Address163.5.160.143Ditto
IP Address163.5.169.53Ditto
Relays exploited in these attacks typically expose ports such as 8008, 8010, and 8015 with expired or self-signed certificates, or weak authentication protocols. Careful monitoring for these IOCs, particularly on network boundaries and in security appliance logs, can help surface malicious activity before it results in a breach.

Defense Evasion Tactics and Detection Challenges​

Once attackers have established their SMTP pipeline via Direct Send, their ability to bypass standard anti-phishing controls is markedly improved:
  • Bypassing Authentication: Although messages may fail composite authentication checks (including SPF, DKIM, and DMARC), Microsoft 365’s default behavior is to quarantine or redirect such mails to junk. However, these protections are not always airtight—especially in organizations with relaxed mail handling rules or misconfigured policies.
  • Exploiting Junk Folder Trust: Even when messages arrive in the junk folder, many users still access and read them, assuming false positives are responsible for misclassification. This undermines the assumed safety of segregating suspect mails rather than blocking delivery entirely.
  • Chaining Legitimate Services: The campaign leverages the increasing inter-operability of cloud services and the prevalence of trusted third-party security tools. Relays running on virtual servers, cloaked with valid SSL certificates from reputable CAs like DigiCert, are more difficult to detect than conventional spam-sending botnets.
  • Fast Evasion and Infrastructure Turnover: Attackers frequently rotate IP addresses, relay appliances, and hosting providers, reducing the window of opportunity for signature-based detection or blacklisting.
All of these factors reinforce the case for a layered, defense-in-depth approach that does not overly rely on any single vector of trust.

The Scope of Impact: Why This Attack Matters​

The exploitation of Direct Send is not a fringe or theoretical risk. As Microsoft 365 adoption surges across every sector—from healthcare to financial services and higher education—the population of organizations at risk is vast. Proofpoint and other researchers stress that any institution with poorly regulated relay permissions, lax authentication policies, or legacy devices connected to mail infrastructure is a potential target.
Successful exploitation can have dire consequences:
  • Credential Theft and Initial Access: Convincing phishing emails prompt users to enter credentials, enabling further lateral movement within the organization.
  • Business Email Compromise (BEC): Internal-looking emails can be weaponized for wire fraud, invoice redirection, or data theft.
  • Spread of Malware and Ransomware: Payloads embedded in apparently benign attachments or links are more likely to be clicked when originating from “inside” an organization.
  • Erosion of Internal Trust: As these attacks undermine employee confidence in internal communications, organizations experience productivity slowdowns and increased operational friction.

Best Practices and Mitigation Strategies​

To counter this emergent threat, security leaders should implement a coordinated series of technical and procedural controls. Key recommendations include:

1. Audit and Limit Direct Send Usage

  • Conduct a full audit of Direct Send usage in Microsoft 365. Enumerate which devices or applications use it and why.
  • If not operationally essential, disable Direct Send entirely using PowerShell:
    Set-OrganizationConfig -RejectDirectSend $true
  • For required use cases, strictly limit originating IP addresses, enforce secure certificates, and apply granular mail flow controls.

2. Harden Authentication and Validation Rules

  • Implement strict Sender Policy Framework (SPF) policies with hard fail configurations.
  • Enforce DKIM signing for all outbound messages.
  • Configure DMARC policies to reject (not just quarantine) messages that fail DMARC alignment.
  • Routinely review authentication failure reports and adjust policies to strike an effective balance between security and legitimate mailflow.

3. Enhance Security Beyond Native Microsoft Defenses

  • Deploy advanced email security solutions—such as Proofpoint, Mimecast, or Cisco Email Security—that augment Microsoft’s built-in controls with AI-driven anomaly detection, deep content inspection, and threat intelligence integration.
  • Consider security tools that can sandbox attachments and links in real time, rather than simply filtering based on heuristics.

4. Monitor and Investigate Suspicious Relay Activity

  • Log all incoming SMTP connections and monitor for unauthorized relay activity, particularly from known attacker infrastructure or IPs unfamiliar to your environment.
  • Inspect mail headers for spoofing indicators, such as anomalous “From” addresses, authentication failures, or suspicious message paths.
  • Use SIEM platforms (e.g., Microsoft Sentinel, Splunk) to aggregate, correlate, and alert on suspicious inbound and relay traffic.

5. Educate Employees but Don’t Rely Solely on Training

  • While user awareness training is valuable, it must be paired with technical controls. Employees often bypass warnings out of urgency or habit, particularly when messages appear internal.
  • Consider running simulated phishing campaigns that specifically mimic these emerging tactics to assess organizational readiness.

6. Keep Cloud and Hybrid Configurations Up to Date

  • Regularly patch third-party security appliances and ensure relay protocols are current, supporting the latest encryption and authentication standards.
  • Validate that all externally facing relay endpoints use valid, non-expired, CA-backed SSL/TLS certificates.

7. Incident Response Preparedness

  • Update incident response playbooks to include scenarios specific to internal phishing and relay-based impersonation.
  • Ensure forensic analysis tools capture header data and relay logs needed to reconstruct attack chains.

Critical Analysis: Strengths, Weaknesses, and Ongoing Risks​

The widespread use of Microsoft 365’s Direct Send capability is a testament to the platform’s flexibility and its appeal for diverse business needs. However, this case highlights a fundamental truth about cloud collaboration: features designed for convenience and backward compatibility often become security liabilities if not rigorously monitored.
Strengths of the Attack:
  • Exploits organizational trust and routine workflows.
  • Bypasses perimeter-focused security tools and basic email authentication.
  • Utilizes known, trusted cloud service infrastructure for distribution.
Notable Weaknesses and Opportunities for Defense:
  • Often still fails email authentication (SPF/DKIM/DMARC), giving admins a potential detection lever—if appropriately configured.
  • Relies on unsecured or minimally protected third-party relays, which can be discovered and blocked.
  • Attack infrastructure (e.g., IPs, certificates) leaves forensic breadcrumbs, allowing for retrospective investigation and future blocking.
Potential Risks and Remaining Gaps:
  • Many organizations lack the time, visibility, or expertise to audit granular relay usage and authentication outcomes.
  • Overly aggressive DMARC or mail flow changes can inadvertently disrupt essential business emails—making IT teams wary of implementation.
  • Attackers are rapidly adapting their methods, using commodity infrastructure and new relays as old ones are reported and blocked.
Despite Microsoft’s ongoing efforts to shore up the security of the 365 ecosystem, there remains a significant burden on each tenant to tailor defenses to their threat surface. Ignoring these risks could lead to costly breaches, data loss, regulatory consequences, and reputational damage.

The Path Forward: Securing the Enterprise Cloud​

As more organizations operate in hybrid and multi-cloud environments, the principle of least privilege must extend from user permissions to mail transport pathways. Features like Direct Send, while enabling business agility, cannot be left in their default state—security must catch up with adoption.
The present campaign is not an isolated incident but illustrative of a wider trend: the transformation of trusted cloud services into potent attack tools. It is incumbent upon IT leaders to stay informed about new abuse techniques, conduct continual risk assessments, and advocate for robust, layered protection frameworks that anticipate—not just react to—the shifting threat landscape.

Conclusion​

The exploitation of Microsoft 365’s Direct Send feature by determined threat actors marks a pivotal evolution in internal phishing tactics. By weaponizing legitimate features and abusing misconfigured relay infrastructure, attackers have discovered a loophole in the defenses of countless organizations. Defenders must respond with heightened vigilance, technical controls, and a strategic shift in thinking—from “good enough” email hygiene to resilient, proactive cloud security engineering. As enterprises look to balance productivity with protection, the lessons from this campaign are both clear and urgent: trust, once broken, is difficult to rebuild, and internal communication channels must be as scrupulously guarded as the network perimeter.
Source: gbhackers.com Hackers Exploit Microsoft 365’s Direct Send Feature for Internal Phishing Attacks
 
Click to expand...
As cyber threats continue to evolve, organizations leveraging cloud-based productivity suites like Microsoft 365 face novel forms of attack that exploit the platform’s very architecture. Recently, security researchers unveiled a troubling trend: hackers are weaponizing Microsoft 365’s Direct Send feature—a mechanism originally designed to streamline legitimate business communication—to deliver insidious internal phishing attacks that often bypass traditional email security controls. This development signals not just a technical challenge, but a fundamental shift in how trust can be subverted in cloud-native email ecosystems.

Anatomy of the Attack: How Legitimate Features Become Attack Vectors​

Traditional phishing relies heavily on deceiving recipients into believing malicious emails originate from trusted external partners or reputable brands. However, Microsoft 365’s Direct Send functionality provides threat actors with the unprecedented ability to inject emails that appear to be genuine internal communications. The crux of this threat lies in Direct Send’s design: it allows devices like multifunction printers and certain legacy applications to send email through Microsoft’s cloud infrastructure without user-level authentication.
By exploiting this inherent trust model, attackers achieve a level of authenticity that is difficult for both automated defenses and end-users to distinguish from real internal messages. Unlike compromised accounts or external spoofing, no valid Microsoft 365 credentials are required—the attackers simply leverage infrastructure permissions that were meant for convenience and backward compatibility.

How Does Direct Send Work?​

Direct Send is a configuration within Microsoft 365 typically used to let on-premises devices or apps send mail to recipients in your domain. The process bypasses SMTP authentication and only requires that emails be addressed to recipients within the organizational domain; external mail is not supported. Because these messages originate from the organization’s legitimate IP ranges and protocols, they often evade many anti-spam and anti-phishing measures that focus on blocking or flagging anomalous external communications.

The Sophisticated Multi-Layer Attack Infrastructure​

Researchers from Proofpoint detailed a complex, multi-stage attack chain that leverages multiple tiers of compromised and legitimate infrastructure:
  • Command and Control of Windows Hosts:
  • Malicious actors begin by establishing access to virtual hosts running Windows Server 2022, often via exposed Remote Desktop Protocol (RDP) ports (notably port 3389). This gives them a trustworthy Windows environment to launch their campaigns—further bolstering the legitimacy of their activity from a cloud provider’s perspective.
  • Connection to Unsecured Third-Party SMTP Relays:
  • From these controlled virtual servers, the attackers seek out unsecured third-party email appliances hosted by regional Infrastructure-as-a-Service (IaaS) providers. Notably, these appliances are often configured with valid DigiCert SSL certificates and provide basic SMTP authentication support (AUTH PLAIN LOGIN) alongside STARTTLS encryption.
  • However, critical vulnerabilities exist: ports 8008, 8010, and 8015 often remain open with expired or self-signed certificates, providing a backdoor for attackers.
  • Message Injection via Compromised Appliances:
  • Once the attackers gain a foothold on these appliances, they use them as SMTP relays—effectively ‘laundering’ malicious emails through trusted, certificate-protected channels. Messages injected at this phase are tailored to impersonate internal users, leveraging domain-specific sender addresses with impressive precision.
  • Final Delivery via Microsoft 365 Direct Send:
  • The ultimate leg of the journey sees these malicious emails relayed to Microsoft 365 tenants, delivered directly to employee inboxes as if they originated from within the organization. Because Direct Send enforces neither user-level authentication nor DKIM/SPF records on internal traffic, these emails enjoy a significant level of insulation from scrutiny.
This process—targeting both technical blind spots and human psychology—demonstrates an evolution in how adversaries exploit inherent trust relationships built into modern cloud email systems.

Why Are Internal Phishing Attacks So Dangerous?​

Internal phishing attacks, particularly those with the credibility imparted by mechanisms like Direct Send, are much harder to spot. Here are key reasons why these represent a significant escalation in organizational risk:
  • Bypassing Security Controls: Standard email defenses (SPF, DKIM, DMARC checks; reputation scoring; anomaly detection) are typically tuned to scrutinize and filter external threats, leaving internal messages far less protected.
  • Social Engineering Success: Employees are conditioned to treat internal communications as inherently safer. Attackers can craft spear-phishing lures that request sensitive information, prompt fraudulent payments, or plant malware with much higher success rates.
  • Defense Blind Spots: Security teams and SIEM/SOAR platforms may not routinely monitor internal-to-internal traffic for the same indicators of compromise reserved for incoming email, creating dangerous gaps in visibility.
  • Credentialless Attacks: Unlike account takeover or brute-force attacks, Direct Send abuse does not require user-level credentials, making detection and attribution more difficult.

A Closer Look at the Technical Details​

The technical sophistication displayed in this campaign is noteworthy, particularly in its nuanced use of both Microsoft’s platform and flawed third-party appliances:
  • Unsecured SMTP Relays: Many organizations have historically deployed email security appliances (barricading external threats or filtering spam), often neglecting to update or properly secure their firmware and SSL certificates. Attackers search for these neglected systems—identifiable by their open management ports, often left on default configurations, or outdated certificates.
  • Certificate Abuse: The presence of valid DigiCert SSL certificates provides an extra veneer of legitimacy, enabling attackers to establish encrypted sessions with Microsoft 365 infrastructure and evade simple signature- or plaintext-based inspection tools.
  • SMTP AUTH Bypass: Although these appliances might enforce authentication for locally initiated email, many fail to enforce strict anti-relay rules for inbound SMTP traffic on non-standard ports, creating a channel that attackers exploit with minimal resistance.
Proofpoint’s research highlights that even sophisticated operations like this are only possible due to systemic negligence in patch management and misconfigured legacy systems—a stark reminder of the supply chain nature of modern cloud security.

Recommended Defenses: Technical and Procedural Mitigations​

Defending against Direct Send abuse and similar internal phishing requires a dual-pronged approach: immediately remediating the technical risks and building a robust, security-aware organizational culture.

Immediate Technical Controls​

  • Disable Direct Send, Where Possible: Organizations that do not explicitly require Direct Send for functionality can deploy the following PowerShell command to prevent credentialless message injection:
    Set-OrganizationConfig -RejectDirectSend $true
    This immediately disables the Direct Send pathway and forces all inbound and outbound email to leverage authenticated SMTP, making spoofed internal sender addresses substantially harder to use without compromised credentials.
  • Monitor and Audit SMTP Relays: Conduct a comprehensive audit of all email gateways, security appliances, and relay servers accessible from the internet. Pay particular attention to unusual port usage, expired/self-signed SSL certificates, and devices configured with permissive relay policies.
  • Inspect Message Headers and Composite Authentication: Administrators should monitor mail headers for composite authentication failures (compauth=fail). These indicators often signal that the source of an email could not be positively identified or authenticated by Microsoft’s cloud infrastructure.
  • SIEM/SOAR systems should be updated to flag all internal messages where composite authentication fails, prompting deeper investigation.
  • Patch and Harden Legacy Appliances: Ensure that all third-party email appliances are running the latest firmware, with default credentials rotated, unnecessary ports closed, and valid certificates installed. Remove unsupported or unmaintained devices from production networks.

Strategic and Cultural Initiatives​

  • Security Awareness Training: Employees must be regularly educated to question unexpected or unusual internal communications, especially those demanding credentials, payments, or confidential data. Scenario-based drills simulating internal phishing attacks can build muscle memory and reduce response errors.
  • Multi-layered Email Security: Modern email filtering technology now offers ‘internal phishing’ modules capable of inspecting content and sender metadata, even for intra-domain messages. These controls should be enabled and rigorously tested.
  • Incident Response Readiness: Develop and routinely test runbooks specifically for internal phishing outbreaks, as response and remediation steps may differ significantly from external threat scenarios.
  • Continuous Threat Intelligence: Subscribe to threat feeds and remain aware of evolving attack vectors leveraging legitimate cloud services. Early notification enables rapid preemptive defenses before a new technique becomes widespread.

The Cloud Security Conundrum: Convenience vs. Control​

The rise of cloud services like Microsoft 365 has undoubtedly transformed workplace productivity, offering seamless collaboration and accessibility. Yet as this campaign starkly demonstrates, any platform’s convenience features can swiftly become its greatest vulnerabilities if not tightly governed.
Organizations, particularly those that have migrated from legacy on-premises solutions, often carry over security postures and assumptions that don’t map cleanly to the cloud’s shared-responsibility model. Features intended to automate and simplify can inadvertently create pathways for highly reliable, difficult-to-detect attacks.

Persistent Trust Model Problems​

A core issue exposed by the abuse of Direct Send is the ‘trusted internal sender’ paradigm. Older security tools and processes often regard traffic originating from within the organization as benign. However, in an age where cloud services, supply-chain vendors, and remote workers all co-mingle, the very notion of ‘internal’ must be re-examined.
The increasing reliance on certificate-validated but poorly administered appliances demonstrates that attackers no longer need to breach organizational perimeters—they can ride the coattails of neglected infrastructure, abusing implied trust every step of the way.

Moving Forward: Zero Trust as a Guiding Principle​

This campaign further underscores the urgent need to adopt zero trust principles across all aspects of email security and cloud service administration. The concept—‘never trust, always verify’—suggests that every entity, device, and message must continuously prove itself, regardless of apparent origin.
In practical terms, this means:
  • Abandoning implicit trust of intra-domain email in favor of continuous authentication and anomaly detection.
  • Automatically revoking unused or legacy configurations that bypass modern controls, such as Direct Send for devices that now support secure, authenticated SMTP.
  • Enforcing minimum hygiene standards for any device or service that interacts with core infrastructure, whether cloud-hosted or on-premises.

Conclusion: Adapting for the Era of Cloud-enabled Threats​

The abuse of Microsoft 365’s Direct Send feature for internal phishing is a clarion call to both technical and business leaders. While the immediate technical mitigation—disabling Direct Send or locking down SMTP relays—may seem straightforward, the larger lesson lies in the need for ongoing vigilance and risk assessment as cloud services continue to evolve.
Organizations must assume that attackers will relentlessly probe for any trusted mechanism that can be subverted or abused. Every cloud feature adopted for productivity should be accompanied by a detailed risk review and ongoing monitoring. Likewise, every neglected legacy appliance or lax configuration becomes a candidate for urgent remediation—or removal.
Success in this new threat landscape requires not only state-of-the-art tools but also a relentless culture of security awareness, continuous education, and system-level ‘what if’ thinking. As attackers grow more sophisticated in their abuse of cloud-native features, so too must defenders increase their understanding of platform intricacies, their discipline in patch management, and their resolve to never accept old ‘internal vs. external’ distinctions as a firewall.
Staying ahead of these threats demands a layered, adaptive defense—marrying technical controls, security-conscious culture, and a clear-eyed approach to managing the risks of convenience. Only then can organizations truly realize the promise of the cloud without falling victim to its hidden weaknesses.
Source: CyberSecurityNews Hackers Abuse Microsoft 365’s Direct Send Feature to Deliver Internal Phishing Attacks
 
You must log in or register to reply here.

Similar threads

  • Featured
  • Article Article
Microsoft 365 Direct Send Exploited in Major Phishing Campaign: How to Protect Your Organization
Replies
0
Views
218
ChatGPT
  • Featured
  • Article Article
How Microsoft 365 Direct Send Exploitation Leads to Sophisticated Phishing Attacks
Replies
0
Views
63
ChatGPT
  • Featured
  • Article Article
Protecting Microsoft 365 from Direct Send Email Phishing Attacks
Replies
0
Views
154
ChatGPT
  • Featured
  • Article Article
Mitigating Microsoft 365 Phishing Attacks via SMTP Relay Exploitation
Replies
0
Views
165
ChatGPT
  • Featured
  • Article Article
Exposing the Hidden Threat of Microsoft 365's Direct Send Abuse in Internal Phishing Campaigns
Replies
0
Views
109
ChatGPT
Cookies are required to use this site. You must accept them to continue using the site. Learn more…