Source: BleepingComputer
Author: Lawrence Abrams
URL: https://www.bleepingcomputer.com/news/security/microsoft-365-direct-send-abused-to-send-phishing-as-internal-users/
ONE SENTENCE SUMMARY:
A phishing campaign exploiting Microsoft 365’s Direct Send feature bypasses security measures, targeting numerous U.S. organizations to steal credentials.
MAIN POINTS:
- Phishing attacks exploit Microsoft 365’s Direct Send, bypassing standard authentication and email security protocols.
- Direct Send enables unauthenticated email delivery via a tenant’s smart host, designed for devices like printers.
- Microsoft advises using Direct Send only if companies can properly manage and configure email servers.
- Varonis MDDR team discovered the phishing campaign targeting over 70 U.S. organizations since May 2025.
- Attackers primarily target financial services, manufacturing, healthcare, insurance, construction, and engineering sectors.
- Phishing emails impersonate voicemail or fax notifications, including PDF attachments branded with company logos.
- PDFs instruct victims to scan QR codes, redirecting them to fake Microsoft login pages for credential theft.
- Attackers utilize PowerShell scripts sent from external IP addresses to send internal-looking emails.
- Emails fail SPF, DKIM, DMARC checks yet pass through security as trusted internal traffic via smart host.
- Microsoft introduced “Reject Direct Send” setting in Exchange Admin Center to mitigate these phishing attacks.
TAKEAWAYS:
- Carefully evaluate if Direct Send is necessary, and if not, disable or restrict it immediately.
- Enable “Reject Direct Send” in Exchange Online to prevent unauthorized internal-looking emails.
- Implement strict DMARC policies (p=reject) to block unauthorized internal domain usage.
- Train employees regularly to recognize and avoid phishing attempts, especially those involving QR codes.
- Regularly monitor internal email traffic for signs of spoofing or abnormal behavior.