Analysis Summary

A newly discovered phishing campaign has targeted over 70 organizations by exploiting Microsoft 365’s Direct Send feature a legitimate functionality intended for internal communications from devices like printers or applications. This novel attack method allows external threat actors to spoof internal email addresses without authentication, enabling them to deliver phishing emails that bypass Microsoft and third-party email security filters. The abuse of Direct Send began in May 2025 and remains active, primarily affecting U.S.-based organizations across multiple sectors. The campaign is unified by shared elements such as similar subject lines, sender IPs, and spoofed identities, raising serious concerns about the lack of safeguards in the Direct Send protocol.

According to the Researcher, Direct Send, designed to simplify intra-organizational messaging, uses smart hosts in the format tenantname.mail.protection.outlook.com. Its fatal flaw lies in not requiring any form of authentication, meaning attackers only need a company’s domain and valid user email addresses data often available from breaches or public sources. Using this method, attackers can send spoofed emails appearing to come from trusted internal users, without ever needing to compromise an account or gain tenant access. These emails blend in with internal traffic, evading standard email inspection tools that focus on external sender analysis or fail to validate spoofed internal messages.

The forensic investigation revealed that attackers used simple PowerShell commands to send phishing emails via the smart host. These commands allowed them to spoof internal identities and trick users with phishing lures such as voice messages or faxes. A typical command might look like:

Send-MailMessage -SmtpServer tenant.mail.protection.outlook.com -To user@company.com -From user@company.com.

The effectiveness of this method is due to a combination of no credential requirements, spoofable sender fields, and messages being routed through Microsoft’s own infrastructure, making detection and prevention highly challenging.

Detection of such abuse relies on identifying anomalies like users emailing themselves, command-line email agents, foreign or unexpected IP addresses (e.g., from Ukraine or VPNs), and failures in SPF, DKIM, or DMARC checks despite internal-looking headers. Security logs show no associated login attempts, further indicating that the attackers remain entirely outside the tenant. This campaign underscores a critical security gap in Microsoft 365, pushing organizations to enhance internal traffic monitoring, implement strict mail flow rules, and reevaluate trusted sender assumptions to prevent abuse of infrastructure features like Direct Send.

Impact

• Sensitive Credential Theft
• Security Bypass
• Gain Access

Indicators of Compromise

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Limit or disable Direct Send unless absolutely necessary; prefer using authenticated SMTP with modern authentication.
• Create mail flow (transport) rules to block or quarantine emails that spoof internal addresses but originate from external sources.
• Enforce strict SPF, DKIM, and DMARC policies to reject or quarantine unauthenticated messages.
• Monitor message headers for anomalies such as command-line or PowerShell user agents, email-to-self patterns, and mismatched tenant IDs.
• Block or flag emails originating from unexpected geolocations or known VPN services.
• Audit access logs to smart hosts like tenantname.mail.protection.outlook.com for signs of abuse.
• Enable external email tagging to help users distinguish spoofed messages from legitimate internal communication.
• Conduct regular security awareness training for employees to recognize phishing emails, especially those mimicking internal alerts like voicemails or missed faxes.