Abuse of Microsoft 365 Direct Send to Send Phishing Emails Impersonating Internal Users

A recent investigation by Varonis’ Managed Data Detection and Response (MDDR) Forensics team has revealed a sophisticated phishing campaign targeting over 70 organizations by exploiting the Microsoft 365 Direct Send feature. 

This campaign, active since May 2025, leverages a lesser-known capability in Exchange Online, allowing attackers to send spoofed emails that appear to originate from within the targeted organization without ever needing to compromise an account or authenticate.

Technical Details of the Abuse

Microsoft 365’s Direct Send is designed to facilitate internal communications from devices such as printers or applications, enabling them to send emails within a tenant without requiring authentication. 

It utilizes a smart host, typically in the format tenantname.mail.protection.outlook.com, to route messages. 

While intended for legitimate internal use, this feature’s lack of authentication requirements has made it a lucrative target for threat actors.

Attackers can easily identify vulnerable organizations due to the predictable format of smart host addresses and the public availability of internal email structures (e.g., [email protected]). 

By simply knowing the domain and a valid recipient address, adversaries can send spoofed emails that appear to come from trusted internal users. 

These emails are routed through Microsoft’s infrastructure, often bypassing traditional security controls, including Microsoft’s own filtering mechanisms and third-party email security solutions that rely on sender reputation or authentication checks.

Observed Attack Methodology

Varonis’ forensic analysis revealed that attackers used PowerShell scripts to send phishing emails via the Direct Send smart host.

These emails, crafted to mimic legitimate internal notifications such as missed voicemails or faxes, often contained PDF attachments with embedded QR codes. 

When scanned, these codes redirected users to phishing sites designed to harvest Microsoft 365 credentials.

Notably, the campaign’s emails failed SPF, DKIM, and DMARC checks, but were still delivered internally due to the way Direct Send handles internal-to-internal traffic. 

Analysis of message headers showed external IP addresses and a lack of authentication, further confirming the abuse.

Detection of this abuse requires careful examination of message headers and behavioral signals. 

Key indicators include emails sent from a user to themselves, PowerShell or command-line user agents, unusual IP addresses (such as those from unexpected geolocations), and suspicious attachments. 

Header analysis may reveal external IPs in the “Received” field, authentication failures, and mismatched tenant IDs.

To mitigate this threat, organizations are advised to:

• Enable “Reject Direct Send” in the Exchange Admin Center.
• Implement strict DMARC policies (e.g., p=reject).
• Flag or quarantine unauthenticated internal emails.
• Enforce SPF hardfail within Exchange Online Protection.
• Apply anti-spoofing policies and educate users about QR code-based phishing (quishing).
• Restrict Direct Send to specific static IP addresses where possible.

The abuse of Microsoft 365 Direct Send underscores the need for vigilance even with features designed for internal convenience. 

Without proper controls, attackers can exploit these pathways to launch convincing phishing attacks that evade conventional defenses. 

Organizations must review their email configurations, enhance detection capabilities, and educate users to remain resilient against evolving threats.

Indicators of Compromise (IOCs)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates