Cybersecurity researchers at Proofpoint have identified a sophisticated phishing campaign that exploits Microsoft 365’s Direct Send feature to deliver malicious emails that appear to originate from within targeted organizations.
This attack method undermines internal trust and significantly increases the success rate of social engineering attempts by leveraging a legitimate Microsoft service designed for multifunction printers and legacy applications.
How Attackers Exploit Direct Send
Direct Send is a Microsoft 365 feature that allows devices and applications to relay messages to organization tenants without authentication, provided recipients are internal users.
Threat actors have weaponized this functionality by connecting to virtual hosts running Windows Server 2022 via RDP on port 3389, then initiating SMTP connections to unsecured third-party email security appliances hosted by regional Infrastructure-as-a-Service providers.
The attack infrastructure presents valid DigiCert SSL certificates and SMTP services supporting AUTH PLAIN LOGIN with STARTTLS, while exposed ports 8008, 8010, and 8015 display expired or self-signed certificates.
Messages are then relayed through these compromised appliances to Microsoft 365 tenants using spoofed internal sender addresses.
Despite Microsoft’s composite authentication checks marking many messages as spoof attempts with “compauth=fail” flags, the emails still reach users’ junk folders, making them accessible to potential victims.
The phishing messages employ highly effective business-themed lures, including task reminders, wire authorization requests, and voicemail notifications to entice user interaction.
This campaign represents a growing trend where adversaries abuse legitimate cloud services to bypass security controls and evade detection.
The attack’s effectiveness stems from its ability to generate emails that appear internally originated, making them far more credible than typical external phishing attempts.
The impact extends beyond immediate security risks, as successful exploitation can damage organizational trust and productivity when employees can no longer rely on the authenticity of internal communications.
Defensive Measures
Proofpoint recommends several critical security measures for Microsoft 365 customers. Organizations should immediately audit their use of Direct Send and consider enabling “Reject Direct Send” via PowerShell using the command Set-OrganizationConfig -RejectDirectSend $true.
Additional protections include auditing mail flow rules for accepted unauthenticated relay IP addresses, monitoring message headers for Microsoft-flagged spoofing attempts, and enforcing strict email authentication protocols, including SPF, DKIM, and DMARC, with reject policies.
Organizations should also implement advanced email security solutions to supplement Microsoft’s native protections and establish secure authentication systems for application-generated emails to prevent future exploitation of this attack vector.
Indicators of Compromise (IOCs)
| Category | Details |
|---|---|
| Self-Signed SSL Certificate | CN=WIN-BUNS25TD77J (CN used by attacker-controlled Windows Server 2022 hosts) |
| IP Address | 163.5.112[.]86 (Attacker-controlled Windows Server 2022 host used to initiate SMTP connection) |
| 163.5.160[.]28 (Attacker-controlled Windows Server 2022 host used to initiate SMTP connection) | |
| 163.5.160[.]119 (Attacker-controlled Windows Server 2022 host used to initiate SMTP connection) | |
| 163.5.160[.]143 (Attacker-controlled Windows Server 2022 host used to initiate SMTP connection) | |
| 163.5.169[.]53 (Attacker-controlled Windows Server 2022 host used to initiate SMTP connection) | |
| Observed Lures | “Your-to-do-List/MM/DD/YYYY” |
| “WIRELESSCALLER (XXX)YYY-ZZZZ-MM/DD/YYYY” | |
| “Payment ACH-Wire Authorization” | |
| “Daily Reminder: Today’s Tasks – MM/DD/YYYY” | |
| “Reminder – To Do – MM/DD/YYYY” | |
| “WIRELESSCALLER(XXX)YYY-ZZZZ-MM/DD/YYYY” |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
