Blog

Threat Alert: Microsoft 365 “Direct Send” Abused in New Phishing Campaigns

microsoft

Researchers have identified a new phishing technique that leverages Microsoft 365’s Direct Send feature. This method allows attackers to send internal-looking emails—without account compromise—bypassing traditional email defenses and appearing legitimate to unsuspecting users.

What is Direct Send?

Direct Send is a legitimate feature in Microsoft 365 that allows devices like printers and scanners to send emails directly through Microsoft infrastructure without authentication. Emails are routed via a tenant-specific smart host URL (e.g., tenantname.mail.protection.outlook.com). Originally designed for internal communications, this feature allows unauthenticated devices to send mail to internal recipients.

Unfortunately, this same capability can be abused. With basic information about a target organization’s domain and email structure, attackers can spoof internal addresses and deliver phishing emails that appear trusted.

How Attackers are Exploiting It

Starting in May 2025, attackers have been using Direct Send to distribute phishing emails that closely mimic internal communications. These emails often contain PDF attachments with embedded QR codes—a method known as quishing—that redirect victims to credential-harvesting websites.

Since these messages route through Microsoft’s infrastructure, both Microsoft and third-party email security tools may treat them as legitimate internal messages, effectively bypassing most protections.

Attackers do not need compromised accounts or credentials. They rely on public tenant domains, predictable email formats, and simple scripting tools to abuse Direct Send.

Why This Matters

  • No account takeover is required.

  • Emails pass SPF, DKIM, and DMARC checks.

  • Messages appear to originate internally.

  • Detection is difficult without advanced monitoring.

Mitigation Strategies

Disable Direct Send (Recommended)

To address this vulnerability directly, organizations should disable Direct Send unless absolutely necessary.

Standard Operating Procedure (SOP): Disabling Direct Send in Microsoft 365 Exchange Online

  1. Open PowerShell as Administrator.

  2. Install the Exchange Online Management Module (only required the first time):
    Install-Module -Name ExchangeOnlineManagement

  3. Import the module:
    Import-Module ExchangeOnlineManagement

  4. Connect to Exchange Online:
    Connect-ExchangeOnline
    (Sign in using Global Admin credentials.)

  5. Disable Direct Send:
    Set-OrganizationConfig -RejectDirectSend $true

  6. Verify the setting:
    Get-OrganizationConfig | Select-Object Identity, RejectDirectSend
    Ensure the output shows:
    RejectDirectSend : True

Notes:

  • This change blocks all unauthenticated email traffic using Direct Send.

  • Ensure proper documentation and change control approval before applying this configuration.

Harden SPF and DMARC Policies

Ensure SPF records use a hard fail mechanism (-all) and enforce a strict DMARC policy (p=reject) to block spoofed messages.

Implement Source IP and Domain Filtering

Use advanced filtering to block messages from untrusted sources, even if they appear internal.

Route All Email Through Security Gateways

Ensure all inbound messages—including internal-looking ones—pass through email security tools like Proofpoint or Mimecast.

Monitor for Anomalies

Use SIEM and monitoring tools to detect:

  • Internal “From” addresses sent from external IPs.

  • Messages from unexpected geolocations.

  • Unusual usage of Direct Send within the organization.

User Awareness Training

Educate employees to recognize phishing techniques, especially QR-code-based quishing attacks.

Enforce Multi-Factor Authentication (MFA)

Require MFA across all accounts to prevent credential abuse if credentials are harvested.

Why Critical Path Security Clients Should Pay Attention

Direct Send abuse highlights how well-intentioned features can become attack vectors. This tactic bypasses defenses, exploits user trust, and leaves minimal footprints for detection.

At Critical Path Security, we recommend:

  • Assessing your current Microsoft 365 configuration.

  • Tightening SPF and DMARC policies.

  • Enhancing monitoring for anomalous mailflows.

  • Educating staff on phishing tactics.

Without these protections, your organization remains vulnerable to stealth phishing attacks that can lead to credential theft and breaches.

Next Steps

If you’re unsure about your Microsoft 365 configuration or want assistance reviewing your environment, Critical Path Security can help. Contact us today to secure your email infrastructure and close this emerging attack path.