Source: BleepingComputer
Author: Lawrence Abrams
URL: https://www.bleepingcomputer.com/news/security/microsoft-365-direct-send-abused-to-send-phishing-as-internal-users/
-
ONE SENTENCE SUMMARY: A phishing campaign exploiting Microsoft 365’s Direct Send feature bypasses security measures, targeting numerous U.S. organizations to steal credentials.
-
MAIN POINTS:
-
Phishing attacks exploit Microsoft 365’s Direct Send, bypassing standard authentication and email security protocols.
-
Direct Send enables unauthenticated email delivery via a tenant’s smart host, designed for devices like printers.
-
Microsoft advises using Direct Send only if companies can properly manage and configure email servers.
-
Varonis MDDR team discovered the phishing campaign targeting over 70 U.S. organizations since May 2025.
-
Attackers primarily target financial services, manufacturing, healthcare, insurance, construction, and engineering sectors.
-
Phishing emails impersonate voicemail or fax notifications, including PDF attachments branded with company logos.
-
PDFs instruct victims to scan QR codes, redirecting them to fake Microsoft login pages for credential theft.
-
Attackers utilize PowerShell scripts sent from external IP addresses to send internal-looking emails.
-
Emails fail SPF, DKIM, DMARC checks yet pass through security as trusted internal traffic via smart host.
-
Microsoft introduced “Reject Direct Send” setting in Exchange Admin Center to mitigate these phishing attacks.
-
TAKEAWAYS:
-
Carefully evaluate if Direct Send is necessary, and if not, disable or restrict it immediately.
-
Enable “Reject Direct Send” in Exchange Online to prevent unauthorized internal-looking emails.
-
Implement strict DMARC policies (p=reject) to block unauthorized internal domain usage.
-
Train employees regularly to recognize and avoid phishing attempts, especially those involving QR codes.
-
Regularly monitor internal email traffic for signs of spoofing or abnormal behavior.