Microsoft 365’s Direct Send Exploited to Send Phishing Emails as Internal Users

Cyber Security News

A sophisticated phishing campaign affecting more than 70 organizations by exploiting Microsoft 365’s Direct Send feature.

This novel attack method allows threat actors to spoof internal users and deliver phishing emails without ever needing to compromise an account, bypassing traditional email security controls that typically scrutinize external communications.

The campaign, which began in May 2025 and has shown consistent activity over the past two months, predominantly targets US-based organizations across multiple verticals and locations.

What makes this attack particularly concerning is its exploitation of a lesser-known Microsoft 365 feature that was designed for legitimate internal communications but lacks proper authentication safeguards.

In these attacks, threat actors utilize M365’s Direct Send functionality to target individual organizations with phishing messages that receive significantly less scrutiny compared to standard inbound email.

The attacks are linked through commonalities in their approach, including similar email subjects, sender IP addresses, and attack vectors.

Understanding the Direct Send Vulnerability

Direct Send is a feature in Exchange Online designed to allow internal devices like printers and applications to send emails within a Microsoft 365 tenant without requiring authentication. The feature uses a smart host with a predictable format: tenantname.mail.protection.outlook.com.

The critical security flaw lies in the complete absence of authentication requirements. Attackers need only a few publicly available details to execute their campaigns: the target organization’s domain and valid recipient addresses.

These pieces of information are often easily obtainable through social media, public sources, or previous data breaches.

The attack process is remarkably simple. Once threat actors identify the domain and valid recipients, they can send spoofed emails that appear to originate from within the organization without ever logging into or accessing the tenant. This simplicity makes Direct Send an attractive, low-effort vector for sophisticated phishing campaigns.

The forensics team observed attackers using PowerShell commands to send spoofed emails via the smart host. These emails appear to come from legitimate internal addresses despite being sent by unauthenticated external actors. Example of PowerShell command:

Send-MailMessage -SmtpServer company-com.mail.protection.outlook.com -To joe@company.com -From joe@company.com -Subject "New Missed Fax-msg" -Body "You have received a call! Click on the link to listen to it. Listen Now" -BodyAsHtml

The method’s effectiveness stems from several factors: no login credentials are required, the smart host accepts emails from any external source, and the “From” address can be spoofed to any internal user.

Because these emails route through Microsoft’s infrastructure and appear to originate within the tenant, they can bypass both Microsoft’s own filtering mechanisms and third-party email security solutions that rely on sender reputation and authentication results.

Phishing Email with Voice Message

Varonis investigators identified specific behavioral patterns that signal Direct Send abuse. In one notable case, alerts were triggered by activity from a Ukrainian IP address, an unexpected location for the affected tenant.

Unlike typical geolocation alerts accompanied by authentication attempts, these incidents showed only email activity with no login events.

Key detection indicators include emails sent from users to themselves, PowerShell or command-line user agents in message headers, unusual IP addresses from VPNs or foreign geolocations, and suspicious attachments.

IoC’s

  • IP Addresses: 
    • 139.28.36[.]230 
    • Multiple IP addresses within the 139.28.X.X space were used by the Threat Actor in this campaign to launch emails 
  • Domains: 
    • hxxps://voice-e091b.firebaseapp[.]com 
    • hxxps://mv4lh.bsfff[.]es 
  • Email Subject Lines often contain: 
    • “Caller Left VM Message * Duration-XXXX for XXXX
    • Fax-msg mm/dd/yyyy, hh:mm:ss AM/PM (2 Pages) RefID: XXXX 
    • New Missed Fax-msg 
    • New Missed Fax-Msg (2 pages) 
    • You have received a new (2 pages) *Fax-Msg* to email@**** 
    • Fax Received: Attached document for review REF 
  • Email Attachments: 
    • File name often contains ‘Fax-msg’, ‘Caller left VM Message’ or ‘Listen’. 

Message header analysis reveals external IPs sent to smart hosts, authentication failures in SPF, DKIM, or DMARC for internal domains, and mismatched tenant IDs.

This campaign highlights a critical blind spot in Microsoft 365’s security architecture. Organizations must implement additional monitoring and detection mechanisms to identify Direct Send abuse while maintaining legitimate use cases such as automated notifications and third-party integrations.

The discovery underscores the importance of comprehensive email security strategies that account for internal routing vulnerabilities.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now 

The post Microsoft 365’s Direct Send Exploited to Send Phishing Emails as Internal Users appeared first on Cyber Security News.

cybersecuritynews.com