An ongoing phishing campaign is apparently exploiting “Direct Send”—a feature in Microsoft 365—to deliver phishing emails that appear to come from internal email users.
The issue specifically impacts companies using a 3rd party email filtering system, and users on Reddit have claimed that the attacks are caught when putting the emails through M365’s filters directly.
Varonis reported in June that over 70 organizations have already been affected by this campaign, which began in May 2025. Victims are predominately based in the US, but span multiple industry verticals and locations.
Microsoft has responded in a detailed blog post, where they argue that Direct Send is not the culprit. They argue the issue is caused when MX records are pointed to “other filtering and relay services” before emails are sent to Exchange Online.
Microsoft has also added the option for organizations to apply custom header stamping and policies to detect issues exploiting the Direct Send feature, reports Dark Reading.
What Is Direct Send?
The Direct Send feature is designed to send emails directly to an Exchange Online hosted mailbox from on-prem devices, apps, or third-party cloud services using the customer’s own domain.
As per Microsoft’s blog outlining the service: “This method does not require any form of authentication because, by its nature, it mimics incoming anonymous emails from the internet, apart from the sender domain.”
Direct Send is designed to allow internal devices or apps, like printers or notification systems, to send emails to internal users without verification.
However, security research teams are warning that threat actors are leveraging this feature to deliver phishing emails to users without needing to open an account.
How The Attack Works
Multiple cybersecurity threat research teams have flagged the issue in the last couple of months, including researchers at Varonis, Barracuda, Arctic Wolf, and StrongestLayer, who have published a step-by-step breakdown outlining an example campaign they have seen.
Varonis demonstrates how a typical campaign works. Any live Microsoft 365 tenant has an endpoint with a predictable format like: tenantname.mail.protection.outlook.com.
Once a threat actor has a target in mind, they simply need the tenant name and the correct internal email format (e.g. [email protected]).
With this information, they can send spoofed emails that look like they have come from inside the organization, with no authentication required.
This can bypass email controls like SPF, DKIM, and DMARC.
There have been a few campaigns observed exploiting this method. One example outlined by Barracuda involves criminals sending out fake voicemail emails that look like they have come from an internal email domain.
Users are told to scan a QR code to access their voicemail messages. This directs the user to a fake M365 login page, where the threat actors will steal the user’s login credentials.
Microsoft’s Response
In April, Microsoft announced that users would be able to toggle Direct Send on or off with a “Reject Direct Send” setting for Exchange Online. This option is only available as a PowerShell command.
However, Microsoft warned that switching on this mode would block “any email sent to your tenant that is sent anonymously using an address that matches one of your accepted domains.”
On Monday (4 August), Microsoft released a new blog that argues Direct Send is not the issue with attacks that leverage the Microsoft 365 tenant endpoint.
They instead argue that the issue is caused by organizations pointing MX Records away from Exchange Online.
“With the publicly known and accessible Exchange Online provided endpoint, anyone on the internet can send emails to your tenant by default. That is how email works. Customers who introduce complex routing to their mail flow may define that ability as a ‘loophole’ and might not like it. If that is the case, it’s a situation created by a configuration decision (complexity was added into email routing) which then needs to be closed.”
How You Can Stay Protected
Microsoft advises that organizations with MX records pointing to a third party domain should configure M365 to reject messages unless they come through a pre-defined inbound mail flow connector. This is outlined on this guide.
As mentioned, Microsoft has also detailed an option to enable “Reject Direct Send” and an option to create a mail flow rule configuration that quarantines or redirects all mail not coming from pre-approved remote IPs.
It is worth considering this option if you don’t have any internal apps and devices sending emails to your domains. “Turn it off so that any bad actors trying to spoof your own domains and send emails to your mailboxes are rejected outright,” as Microsoft puts it.
StrongestLayer recommends that organizations use header analysis to detect any exploitation of the Direct Send feature. They also recommend treading all HTML and SVG attachments as high risk, and implementing (p=reject) DMARC enforcement policies.
Barracuda recommends disabling Direct Send entirely and enforcing multi-factor authentication to all email accounts to reduce the risk of a successful credential theft attack.
Read more on this topic:
- Phishers Abuse Microsoft 365 To Spoof Internal Users
- Direct Send Deception: How A Microsoft 365 Exploit Fuels Hyper-Personalized Credential Theft
- Direct Send Vs Sending Directly To An Exchange Online Tenant
- Ongoing Campaign Abuses Microsoft 365’s Direct Send To Deliver Phishing Emails
- Microsoft Direct Send Phishing Attacks Explained
- Arctic Wolf Observes Microsoft Direct Send Abuse
