Cybersecurity researchers have uncovered a widespread attack campaign exploiting Microsoft 365 Exchange Online’s Direct Send feature, allowing threat actors to spoof internal users and deliver phishing emails without compromising a single account. Cisco Talos, Varonis Threat Labs, and multiple email security vendors report that over 70 organizations across various industries have been targeted since May 2025, with attackers leveraging this trusted mail pathway to bypass authentication checks and evade detection.
What Is Direct Send and Why Is It Vulnerable?
Direct Send is an Exchange Online feature designed to allow internal devices like printers, scanners, and legacy applications to send emails within a Microsoft 365 tenant without authentication. The feature uses a smart host with the format tenantname.mail.protection.outlook.com and was intended exclusively for internal workflows. However, this convenience creates a critical security gap: attackers require no credentials, tokens, or tenant access—just the publicly available smart host address and a valid internal recipient email.
Because Direct Send accepts unauthenticated submissions, threat actors can craft PowerShell scripts to send spoofed emails that appear to originate from legitimate internal addresses. The predictable format of smart host addresses and the ease of discovering internal email patterns through social media or data breaches make identification of vulnerable organizations trivial.
Attack Techniques and Real-World Examples
In campaigns observed by Varonis and other vendors, attackers used simple PowerShell commands to send spoofed emails via the smart host, impersonating internal users without authentication. Typical phishing lures included fake voicemail notifications, missed fax alerts, and invoice requests, often containing QR codes or PDF attachments that redirected victims to credential-harvesting sites.
Varonis Threat Labs identified multiple incidents where users received emails from themselves, sent from unusual geolocations like Ukraine, with PowerShell listed as the user agent. Header analysis revealed external IP addresses, failed SPF and DMARC checks, and missing DKIM signatures—yet the emails were delivered internally via the smart host because they were treated as internal-to-internal traffic.
The campaign’s indicators of compromise included over 15 malicious IP addresses (primarily in the 139.28.X.X range), phishing domains hosted on Firebase and other platforms, and subject lines mimicking voicemail and fax notifications.
Why Traditional Security Controls Fail
Direct Send abuse bypasses crucial email authenticity mechanisms including SPF, DKIM, and DMARC because messages are treated as internal tenant traffic. Legacy secure email gateways (SEGs) and Microsoft’s own filtering often fail to flag these messages, as they rely on sender reputation, authentication results, and external routing patterns—none of which apply when mail flows through Microsoft’s trusted infrastructure.
This trust boundary issue allows attackers to inherit credibility from Microsoft’s infrastructure, making spoofed emails appear legitimate and escaping security detection gates with minimal friction.
Microsoft’s Response: RejectDirectSend Control
Microsoft has introduced a Public Preview of the RejectDirectSend setting, allowing administrators to block unauthenticated Direct Send submissions at the tenant level. Organizations can enable this control via PowerShell using Set-OrganizationConfig -RejectDirectSend $true and verify the configuration with Get-OrganizationConfig.
Future improvements will include usage visibility reports and a default-off configuration for new tenants to reduce exposure. However, organizations that depend on Direct Send for critical workflows must carefully plan migrations to avoid business disruption.
Recommended Defenses
Security experts recommend a layered defense strategy to mitigate Direct Send abuse:
- Enable RejectDirectSend if Direct Send is not required for business operations.
- Migrate legacy devices to authenticated SMTP (port 587) or use inbound connectors restricted by IP address or certificate.
- Enforce strict DMARC policies (p=reject) and monitor DMARC aggregate reports for anomalous internal-sender patterns.
- Restrict port 25 usage to approved hosts and implement SPF hard-fail enforcement within Exchange Online Protection.
- Flag unauthenticated internal emails for review or quarantine, and implement transport rules to distinguish external from internal sender flows.
- Educate users on phishing tactics involving QR codes (quishing attacks) and voicemail/fax impersonation.
- Monitor message headers for external IPs sent to the smart host, failed authentication results, and mismatched Cross-Tenant IDs.
Cisco Talos recommends combining machine learning-based email telemetry analysis with behavioral inspection to detect patterns consistent with Direct Send abuse, shortening attacker dwell time while maintaining operational continuity.
The abuse of Microsoft 365’s Direct Send feature represents a significant threat to enterprise email security, turning a business-enabling tool into an exploitation vector for phishing and business email compromise campaigns. With attackers requiring no authentication to spoof internal users and bypass traditional security controls, organizations must act quickly to enable RejectDirectSend, migrate to authenticated alternatives, and enhance monitoring capabilities. As security experts warn, “You can’t block what you don’t see”—visibility and proactive defense are the foundation of secure email communications.
Fortify Your Server with Messageware Security
Data breaches have increased by 72%, servers are compromised in under 90 minutes. Ensure you have multiple layers of security software protecting your Windows Servers.
Z-Day Guard for All Windows Servers: Next-gen server protection, providing detection, alerting, and response (MDR) to zero-day and server penetration cyber-attacks. Leverages embedded monitoring technology that cannot be turned off by malicious software. No need to research complicated deployments and no learning curve to install and manage.
EPG Guard for Exchange Servers: Real-time security. Stop AD account lockouts, eliminate password attacks, intelligent GEO blocking, and prevent Exchange Server vulnerability probing.
Don’t leave your critical infrastructure vulnerable, be proactive and stay ahead of evolving threats.