Microsoft 365 “Direct Send” Abused: Phishing Campaign Spoofs Internal Users, Bypasses Security
Do Son 
Varonisβ Managed Data Detection and Response (MDDR) Forensics team has uncovered a stealthy and widespread phishing campaign that abuses a legitimate Microsoft 365 feature known as Direct Send. Exploited by threat actors to spoof internal users and bypass traditional email security measures, this technique allowed attackers to target more than 70 organizationsβprimarily based in the U.S.βwithout ever needing to compromise an account.
Direct Send is a Microsoft 365 feature designed to allow printers and internal devices to send emails without requiring authentication. The feature operates using smart hosts that follow a predictable structure, such as: tenantname.mail.protection.outlook.com.
Originally intended for internal use, this configuration does not require login credentials. That makes it dangerously exploitable.
βNo authentication is required. That means attackers donβt need credentials, tokens, or access to the tenantβjust a few publicly available details,β Varonis warns.
Once a threat actor identifies a tenantβs domain and valid internal email addresses (often scraped from public sources), they can craft emails that appear to be sent from within the organizationβcompletely unauthenticated.
Varonis identified that attackers use PowerShell scripts to send spoofed emails through these smart hosts. Here’s a simplified example of a command used:
This makes the email appear as though it came from a trusted internal address, increasing the likelihood of user interaction. Since the message originates within Microsoft infrastructure, it bypasses spam filters and security policies.
βThe email is routed through Microsoftβs infrastructure and appears to originate from within the tenantβ¦ bypass[ing] traditional email security controls.β
In one observed case, a Ukrainian IP address triggered an alert for “Abnormal behavior: Activity from stale geolocation.” However, there were no login eventsβonly email activity. Users appeared to be sending spoofed emails to themselves using PowerShell, a highly irregular behavior.
βThis pattern was distinctβ¦ and immediately pointed us toward a likely root cause: Direct Send abuse.β
The phishing emails mimicked voicemail notifications and included a PDF attachment with a QR code. When scanned, this code redirected users to a phishing site designed to harvest Microsoft 365 credentialsβa growing trend known as quishing.
Email header analysis confirmed that the attacker:
- Originated from an external IP address
- Failed SPF, DKIM, and DMARC checks
- Yet successfully delivered the spoofed email internally
βThis is a textbook example of how Direct Send can be exploited when left unprotected.β
Varonis outlines several critical steps to mitigate this threat:
- Enable βReject Direct Sendβ in Exchange Admin Center
- Flag unauthenticated internal emails for review or quarantine
- Enforce strict DMARC policies (e.g., p=reject)
- Enforce SPF hardfail and use Anti-Spoofing policies
- Enable MFA and apply Conditional Access Policies
- Educate users about QR code phishing (Quishing) tactics
- Use static IPs in SPF records to restrict senders
Related Posts:
- TikTok Hit by Zero-Day Attack: High-Profile Accounts Compromised
- Quantum Leap: Researchers Achieve Unprecedented Speed and Range in Secure Direct Communication
- Microsoft May 2025 Patch Tuesday Fixes 83 Vulnerabilities, Including 5 Exploited in the Wild
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
