Exploiting Trust: Phishing Campaign Abuses Microsoft 365 Direct Send for Internal Spoofing

Varonis Threat Labs uncovered a phishing campaign actively exploiting Microsoft 365’s Direct Send feature. This functionality – intended for internal, unauthenticated email delivery from devices like printers – has been hijacked by threat actors to spoof internal users without account compromise. The abuse enables malicious emails to bypass traditional email security by appearing as legitimate internal messages, posing a major risk to enterprise security.

Severity Level: High

Threat Overview

1. Start Date: Activity was traced back to May 2025, with consistent incidents reported over a two-month period.
2. Target Scope: Over 70 victims were identified across multiple sectors and regions, primarily U.S.-based
3. Technique: Abuse of Direct Send, a Microsoft 365 feature used to allow unauthenticated internal device email communication.
4. Spoofing Method: The threat actor mimics internal user emails using publicly guessable email addresses (e.g., first.last@company.com) and tenant-specific smart host addresses (e.g., tenantname.mail.protection.outlook.com).
5. Payload: Typically a PDF attachment with a QR code linking to a phishing site to harvest Microsoft 365 credentials.
6. Detection Avoidance: Since messages are routed through Microsoft infrastructure, they can, evade Microsoft filters (e.g., treated as internal email). Evade third-party email security solutions that rely on sender reputation or authentication.

Direct Send Exploitation Steps:

• Gather Information: Identify a target tenant and valid internal email address formats.
• Craft Email: Use PowerShell or SMTP clients to send spoofed emails via the smart host.
• Send Email: From an external IP (e.g., 139.28.36[.]230) to internal addresses using the Microsoft smart host.
• Bypass Security:
  • No login = No authentication logs.
  • Appears internal, reducing likelihood of alerting security filters.
• Payload Execution:
  • Emails appear to be from internal staff.
  • Attachments include QR codes linking to credential harvesting sites.
• Example PowerShell Command: Send-MailMessage -SmtpServer company-com.mail.protection.outlook.com -To joe@company.com

Recommendations

1. To detect misuse of Direct Send, defenders must combine email header analysis, behavioral anomaly detection, and infrastructure monitoring.

Email Header Indicators:

Behavioral Indicators:

• Emails sent from a user to themselves
• Use of PowerShell or CLI-based email clients (often not typical for end-users)
• Email traffic from unusual geolocations (e.g., Ukraine or foreign VPN IPs) without corresponding login activity
• Suspicious or out-of-pattern email subjects like: “Caller Left VM Message”, “New Missed Fax-msg”
• Attachments containing QR codes (quishing) are red flags, especially if PDF files mimic voicemails or fax messages

2. Enable “Reject Direct Send”: Microsoft introduced this in Exchange Admin Center to block unauthenticated traffic using Direct Send.

3. Enforce strict SPF/DMARC/DKIM policies

4. Educate staff about the risks of QR code phishing (quishing). Train users to report internal-looking emails with suspicious attachments.

5. It’s always recommended to enforce MFA on all users and have Conditional Access Policies in place, in case a user’s credentials are stolen.

6. Block the IOCs at their respective controls:
https://www.virustotal.com/gui/collection/a63f0b29f78b93f927e06a5b619895746e1649330e1d31f4ca67f72f65741aca/iocs

Source:

• https://www.varonis.com/blog/direct-send-exploit

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.