Understanding the Risks of Microsoft 365's Direct Send Feature in Phishing Attacks
The Microsoft 365 “Direct Send” feature, initially designed to help devices like printers and scanners send emails, has unfortunately been hijacked by cybercriminals for phishing attacks. This feature’s lack of authentication makes it a tempting tool for attackers who want to impersonate internal users within organizations. Recently, over 70 organizations were targeted in a campaign exploiting this vulnerability, with 95% of victims in the United States. These attacks cleverly bypass traditional security measures like SPF, DKIM, and DMARC, allowing phishing emails to appear as legitimate internal communications (BleepingComputer).
How Cybercriminals Exploit Direct Send
Why Direct Send is Attractive to Attackers
Imagine a feature that lets you send emails without needing a password. That’s essentially what the Direct Send feature does, making it a prime target for misuse. Originally meant for devices like printers, this feature has been exploited in phishing campaigns targeting over 70 organizations, mostly in the U.S. (BleepingComputer).
Attackers use this feature to send emails that look like they come from within the organization. These emails often slip past security checks like SPF, DKIM, and DMARC because they’re seen as internal traffic (BleepingComputer). This tactic allows attackers to craft convincing phishing emails that trick employees into revealing sensitive information, like passwords.
Industries Under Attack and Their Tactics
The phishing campaign has mainly targeted industries such as Financial Services, Construction, Engineering, Manufacturing, Healthcare, and Insurance. Financial Services are the most common target, followed by Manufacturing and Construction/Engineering (BleepingComputer).
Attackers often disguise their emails as voicemail or fax notifications. Subjects like “Caller Left VM Message” and PDF attachments titled ‘Fax-msg’ or ‘Play_VM-Now’ are common. These PDFs don’t have direct links to phishing sites but instead instruct recipients to scan a QR code leading to a phishing page designed to steal credentials (BleepingComputer).
How the Attacks Work
Attackers use PowerShell scripts to send emails via the Direct Send feature. They exploit the smart host of the targeted company (e.g., company-com.mail.protection.outlook.com) to send emails that appear internal. This method doesn’t require authentication, allowing attackers to bypass security measures like SPF, DKIM, and DMARC (BleepingComputer).
Here’s an example of a PowerShell command used in these attacks:
Send-MailMessage -SmtpServer company-com.mail.protection.outlook.com -To [email protected] -From [email protected] -Subject "New Missed Fax-msg" -Body "You have received a call! Click on the link to listen to it. Listen Now" -BodyAsHtmlThis command sends an email that looks like it comes from an internal address, increasing the chance that the recipient will trust the message and follow the malicious instructions.
How to Protect Against These Attacks
To reduce the risks of Direct Send, organizations should take several steps. Varonis suggests enabling the “Reject Direct Send” setting in the Exchange Admin Center, introduced by Microsoft in April 2025 (BleepingComputer). This setting blocks emails that fail authentication checks.
Organizations should also enforce a strict DMARC policy (p=reject), flag unauthenticated internal messages for review or quarantine, and enable Anti-Spoofing policies. Training employees to recognize phishing attempts, especially those involving QR codes, is crucial (BleepingComputer).
Looking Ahead
Microsoft is aware of the security risks with the Direct Send feature and is working on ways to phase it out. The company advises that only advanced users should use this feature, as its safety depends on proper setup and management (BleepingComputer).
As phishing attacks become more sophisticated, the need for strong email security measures is critical. The ongoing misuse of Direct Send highlights the necessity for continuous monitoring and adaptation of security practices to protect against evolving threats.
Final Thoughts
The misuse of Microsoft 365’s Direct Send feature highlights the evolving nature of phishing threats and the need for robust security measures. As attackers continue to exploit this feature, organizations must adapt by implementing stringent security protocols and educating employees about potential phishing tactics. Microsoft’s efforts to deprecate the Direct Send feature and the introduction of new security settings are steps in the right direction. However, the responsibility also lies with organizations to ensure these measures are effectively implemented and maintained (BleepingComputer).
References
- Microsoft 365 ‘Direct Send’ abused to send phishing as internal users, 2025, BleepingComputer https://www.bleepingcomputer.com/news/security/microsoft-365-direct-send-abused-to-send-phishing-as-internal-users/
