Securing Microsoft 365 Against Phishing Exploiting Direct Send Vulnerability

A sophisticated phishing campaign has been exploiting Microsoft 365's Direct Send feature, targeting over 70 organizations across various sectors in the United States since May 2025. This attack underscores the evolving tactics of cybercriminals and highlights the need for organizations to reassess their email security configurations.

Understanding the Direct Send Exploit​

Microsoft 365's Direct Send feature allows internal devices, such as printers and scanners, to send emails without authentication. While designed for convenience, this feature lacks robust authentication mechanisms, making it susceptible to abuse. Attackers have leveraged this vulnerability to impersonate internal users and deliver phishing emails that bypass traditional security controls.
In this campaign, threat actors utilized PowerShell scripts to send emails through the victims' smart hosts—servers with addresses like company-com.mail.protection.outlook.com. These servers accept unauthenticated emails from any source claiming to be internal. By sending messages that appear to originate from legitimate internal addresses, attackers achieved:

• Impersonation: Emails closely resembled genuine internal communications, with sender and recipient addresses matching legitimate formats.
• Bypassing Filters: Since Direct Send traffic is treated as internal, standard email authentication protocols like SPF, DKIM, and DMARC were not enforced, allowing malicious emails to evade detection.
• Evading Authentication Requirements: The reliance on trusted smart hosts enabled unauthenticated external actors to inject messages directly into inboxes.

A typical attack chain involved using PowerShell commands to send spoofed emails via the smart host. These emails often contained subject lines like "New Missed Fax-msg" or "Caller Left VM Message," enticing recipients to open them.

Anatomy of the Phishing Lure​

The phishing emails included PDF attachments that prompted recipients to scan a QR code, leading to counterfeit Microsoft login pages designed to harvest credentials. This method, known as "quishing," exploits the growing trust in QR codes and the increasing use of mobile devices for authentication.
The multi-stage process had several advantages:

• Bypassing Security Gateways: Many spam filters are configured to scan links in email bodies or attached PDFs for indicators of phishing. By avoiding clickable links and instead relying on QR codes, the attackers circumvented much of the static and behavioral analysis meant to protect users.
• Social Engineering Under the Radar: QR codes are less likely to be scrutinized by automated security measures. Employees, eager not to miss a business-critical voicemail, might scan the code with a smartphone, potentially outside the computer's security perimeter, increasing the chance of credential harvesting.
• Credential Theft: The phishing website behind the QR code typically presented a convincing Microsoft login page, designed to harvest Office 365 credentials that could be used for further compromise or resale.

This layered tactic—masquerading as internal, leveraging trusted workflow notifications, and exploiting cross-device user behavior—dramatically improved the campaign’s success rates.

Why Traditional Defenses Failed​

The campaign's effectiveness can be directly traced to the interplay of trust assumptions and gaps in existing protections:

• SPF, DKIM, and DMARC Limitations: Organizations often rely on these protocols to authenticate message origins. Direct Send, however, bypassed these checks entirely. Even though emails originating from atypical IPs failed SPF or DMARC, the fact that they traversed the organization’s official smart host convinced Exchange Online and other systems to treat them as safe.
• Internal Email Blind Spots: Corporate environments often apply less scrutiny or raise lower alarms for emails flagged as internal. Security professionals may focus anti-spam and quarantine policies on external senders, allowing privileged lateral movement for anything appearing “intra-company.”
• Smart Host Misconfiguration: Microsoft’s own guidance long recognized the dangers of incorrect configuration for Direct Send. For advanced admins prepared to tightly restrict incoming traffic, the risks could be minimized. Yet, complex environments and staff turnover often left these endpoints exposed.

Microsoft's Response and Mitigation Efforts​

Microsoft has historically been aware of Direct Send’s risk profile, recommending its use only for “advanced customers willing to take on the responsibilities of email server admins.” Specifically, the company notes, “You need to be familiar with setting up and following best practices for sending email over the Internet. When correctly configured and managed, Direct Send is a secure and viable option. But customers run the risk of misconfiguration that disrupts mail flow or threatens security.”
In April 2025, Microsoft introduced a new “Reject Direct Send” toggle in the Exchange Admin Center, allowing admins to block unauthenticated Direct Send attempts outright. This feature, still in public preview at the time of this writing, was a direct response to the inability of SPF, DKIM, or DMARC hardfail policies to reliably block internal spoofing without risking legitimate mail delivery failures. Microsoft previously recommended SPF soft-fail (“~all”) precisely because aggressive blocking could disrupt valid routing scenarios—an uneasy compromise now exposed by this attack.
Though disabling Direct Send is as simple as toggling the “Reject Direct Send” setting, the practical challenge for many enterprises lies in identifying and updating every system and device that depends on the feature. Legacy scanners, line-of-business apps, or even contract manufacturing systems might silently break if the smart host channel is summarily closed.

Varonis’ and Industry Best Practices​

Beyond Microsoft’s direct recommendations, the security and risk management community has issued a suite of urgent guidance in the wake of the attack:

• Implement Strict DMARC Policies: Moving from a “none” or “quarantine” stance to a full “reject” policy (p=reject) can help mitigate spoofing across the board, though it requires careful analysis to avoid unintended routing failures.
• Flag or Quarantine Unauthenticated Internal Messages: Even messages appearing to originate within the organization should be subject to authentication and anomaly detection, especially when traveling through paths typically reserved for external communications.
• Enforce SPF Hardfail Where Possible: For critical domains or systems, increasing the strictness of SPF evaluation may yield added safety, but with potentially disruptive side effects.
• Enable Advanced Anti-Spoofing and Anomaly Detection: Exchange Online Protection and other email security gateways can be tuned for more aggressive anti-spoofing, monitoring for sender-recipient address pairings, unexpected geographies, or odd device fingerprints.
• User Education and QR Phishing Awareness: Regular training—especially around unexpected QR codes, links, or requests for credentials—is vital. Employees should recognize that, in the modern threat landscape, even internal-looking emails may be compromised.
• Monitor for Indicators of Compromise (IOCs): Varonis and others have published lists of malicious domains, IPs, and behavioral fingerprints to help organizations rapidly detect and respond to suspected abuse.

The Broader Lessons: Trust, Zero Trust, and the Future of Cloud Messaging​

Perhaps the most enduring takeaway from this campaign is the erosion of the “inside is safe” ideology. In cloud-first, perimeter-less environments, every internal channel represents a potential risk if not actively authenticated, monitored, and risk-scored. While features like Direct Send were conceived with benign internal networks in mind, today’s threat actors reliably exploit implicit trust wherever it resides.
This attack also underscores the need for aggressive zero-trust policies for messaging—authenticating not only user logins but every system, device, and email relay. This means inventorying legacy devices, implementing strong device identity, and shifting toward cloud-native workflow tools that are designed with security in mind.

The Final Word: Secure Foundations in a Changing World​

This campaign’s success—drawing upon a blend of technical misconfiguration, psychological manipulation, and infrastructural complexity—serves as a sobering reminder: in the race to modernize workplace tech, security fundamentals must never be left behind. Features like Microsoft 365’s Direct Send were built for a different era; administrators must embrace a posture of proactive vigilance, not reactive firefighting.
For those leveraging Microsoft 365 or any major cloud platform, the imperative is clear: audit all trust boundaries, lock down legacy pathways, demand and verify authentication for every transaction, and commit to a culture of constant vigilance and awareness. As phishing campaigns get smarter, organizations must work systematically to ensure that features created for convenience never become conduits for catastrophe.

---

Source: SC Media Ongoing Microsoft 365 Direct Send phishing campaign primarily aimed at US