Abusing Direct Send: A New Microsoft 365 Phishing Risk
All our Gallop Technology Group clients already got this patched and addressed by our security team, however, if you read this and you are not a Gallop Technology Group customer, please consider reaching out to your IT team ASAP to make sure this already has been addressed on your Microsoft account as well, and- if not- ask yourself why you are not working with the awesome team of Gallop Technology Group instead?
Cybercriminals have found a new way to exploit trust within organizations—without ever compromising a single account. Varonis Threat Labs recently uncovered a sophisticated misuse of Microsoft 365’s Direct Send feature, a tool meant to streamline internal communication. Instead, it’s being turned into a weapon for phishing attacks that appear to originate from within the company itself.
This article explores how the technique works, the risks it poses, and the steps organizations can take to defend against it.
What Is Direct Send?
Direct Send is a feature in Microsoft Exchange Online that allows internal devices—like printers, scanners, or line-of-business applications—to send emails through Microsoft 365 without requiring authentication. It uses a smart host format like: yourdomain.mail.protection.outlook.com
This setup is intended for internal use only, allowing devices to send messages to users within the same domain. However, the lack of authentication requirements has opened the door for abuse.
How Attackers Are Exploiting It
The core issue lies in the absence of authentication. Attackers don’t need credentials, tokens, or access to the Microsoft 365 tenant. All they need is:
- The organization’s domain name
- A valid internal email format (e.g., john.doe@company.com)
- The smart host address (which follows a predictable pattern)
With this information—often gathered from public sources, social media, or previous data breaches—an attacker can send emails that appear to come from a trusted internal source. These emails are routed through Microsoft’s infrastructure, making them more likely to bypass spam filters and security gateways.
Real-World Example
In the campaign observed by Varonis, attackers used PowerShell to send spoofed emails. Here’s a simplified version of the command they used:
Send-MailMessage -SmtpServer company-com.mail.protection.outlook.com `
-To jane@company.com `
-From jane@company.com `
-Subject “New Missed Fax-msg” `
-Body “You have received a call!”
This message appears to come from Jane herself, creating a false sense of trust. The recipient may assume it’s a legitimate internal message and click on malicious links or attachments.
Why This Attack Works So Well
There are several reasons why this tactic is particularly effective:
- Internal Trust: Emails that appear to come from within the organization are often trusted more than external messages.
- Bypasses Filters: Since the emails are sent through Microsoft’s infrastructure, they may not trigger traditional spam or phishing filters.
- No Compromise Needed: The attacker doesn’t need to hack into any accounts or systems—they’re simply exploiting a configuration loophole.
- Low Effort, High Impact: The simplicity of the attack makes it easy to scale across multiple organizations.
How to Detect and Prevent This Exploit
While the Direct Send feature is useful, its misuse highlights the need for stronger controls and monitoring. Here are some steps organizations can take:
1. Restrict Direct Send Usage
Limit the use of Direct Send to only trusted internal devices. If possible, disable it entirely and use authenticated SMTP relay instead.
2. Implement SPF, DKIM, and DMARC
These email authentication protocols help verify the legitimacy of incoming messages and reduce the risk of spoofing.
3. Monitor for Unusual Email Activity
Use security tools to detect anomalies, such as emails sent from unexpected IP addresses or unusual sending patterns.
4. Educate Employees
Train staff to recognize phishing attempts, even if they appear to come from internal sources. Encourage them to verify suspicious messages through other channels.
5. Use Advanced Threat Protection
Enable Microsoft Defender for Office 365 or similar tools to scan for malicious content and behavior.
What Gallop Technology Group Has Done
At Gallop Technology Group, we’ve proactively addressed this vulnerability across all managed environments. Our security team has:
- Identified and mitigated the risk of Direct Send abuse
- Implemented enhanced monitoring for spoofed internal emails
- Updated client configurations to reduce exposure
- Educated clients on recognizing and reporting suspicious messages
If you’re a GTG client, rest assured—you’re already protected.
A Message to Non-Clients
If you’re reading this and you’re not a Gallop Technology Group customer, we strongly recommend reaching out to your IT team immediately to ensure this vulnerability has been addressed. If it hasn’t—ask yourself why you’re not working with a team that proactively protects your environment.
Conclusion:
The abuse of Microsoft 365’s Direct Send feature is a reminder that even well-intentioned tools can become attack vectors when not properly secured. As phishing tactics become more sophisticated, organizations must stay ahead by combining technical controls with user awareness and expert support.
Cybersecurity is no longer optional—it’s essential. And with threats like these, having a proactive partner like Gallop Technology Group can make all the difference.
