Ddos 
Varonis’ Managed Data Detection and Response (MDDR) Forensics team has uncovered a stealthy and widespread phishing campaign that abuses a legitimate Microsoft 365 feature known as Direct Send. Exploited by threat actors to spoof internal users and bypass traditional email security measures, this technique allowed attackers to target more than 70 organizations—primarily based in the U.S.—without ever needing to compromise an account.
Direct Send is a Microsoft 365 feature designed to allow printers and internal devices to send emails without requiring authentication. The feature operates using smart hosts that follow a predictable structure, such as: tenantname.mail.protection.outlook.com.
Originally intended for internal use, this configuration does not require login credentials. That makes it dangerously exploitable.
“No authentication is required. That means attackers don’t need credentials, tokens, or access to the tenant—just a few publicly available details,” Varonis warns.
Once a threat actor identifies a tenant’s domain and valid internal email addresses (often scraped from public sources), they can craft emails that appear to be sent from within the organization—completely unauthenticated.
Varonis identified that attackers use PowerShell scripts to send spoofed emails through these smart hosts. Here’s a simplified example of a command used:
This makes the email appear as though it came from a trusted internal address, increasing the likelihood of user interaction. Since the message originates within Microsoft infrastructure, it bypasses spam filters and security policies.
“The email is routed through Microsoft’s infrastructure and appears to originate from within the tenant… bypass[ing] traditional email security controls.”
In one observed case, a Ukrainian IP address triggered an alert for “Abnormal behavior: Activity from stale geolocation.” However, there were no login events—only email activity. Users appeared to be sending spoofed emails to themselves using PowerShell, a highly irregular behavior.
“This pattern was distinct… and immediately pointed us toward a likely root cause: Direct Send abuse.”
The phishing emails mimicked voicemail notifications and included a PDF attachment with a QR code. When scanned, this code redirected users to a phishing site designed to harvest Microsoft 365 credentials—a growing trend known as quishing.
Email header analysis confirmed that the attacker:
- Originated from an external IP address
- Failed SPF, DKIM, and DMARC checks
- Yet successfully delivered the spoofed email internally
“This is a textbook example of how Direct Send can be exploited when left unprotected.”
Varonis outlines several critical steps to mitigate this threat:
- Enable “Reject Direct Send” in Exchange Admin Center
- Flag unauthenticated internal emails for review or quarantine
- Enforce strict DMARC policies (e.g., p=reject)
- Enforce SPF hardfail and use Anti-Spoofing policies
- Enable MFA and apply Conditional Access Policies
- Educate users about QR code phishing (Quishing) tactics
- Use static IPs in SPF records to restrict senders
Donate