Microsoft 365’s “Direct Send” Feature Exploited in New Phishing Tactic
by
Reading Time: 3 min
Key Takeaways
- Cybercriminals are abusing Microsoft 365’s Direct Send to send phishing emails that bypass SPF, DKIM, and DMARC checks.
- The attack impersonates internal accounts via a legitimate function meant for internal devices, evading security filters.
- Payloads include QR codes and HTML attachments that steal credentials, with some attacks traced to foreign IPs.
- Protection measures: enable Reject Direct Send, enforce strict DMARC, use header stamping, and quarantine failed checks.
Cybercriminals are exploiting Microsoft 365’s Direct Send feature to deliver highly convincing phishing emails that appear to come from trusted internal users, bypassing standard email authentication checks such as SPF, DKIM, and DMARC.
The exploit was documented by researchers at StrongestLayer after observing attackers successfully target one of their customers.
How Does the Microsoft Direct Send Phishing Attack Work
The attack abuses a legitimate function designed to help printers, scanners, and internal systems send messages without complex authentication. By impersonating internal accounts, attackers sidestep many policy-based checks that typically screen external messages, successfully evading both Microsoft Defender and third-party secure email gateways.
Once the targeted organization’s internal communication trust is exploited, attackers can deliver a range of malicious content, from QR code-based payloads to HTML attachments, that harvest credentials without triggering usual defenses. In one documented case, phishing emails originated from IP addresses in Ukraine and France but were still processed as trusted traffic.
Preventative Measures
Microsoft has introduced options for organizations to apply custom header stamping and quarantine policies for messages falsely claiming to be internal. Security experts also recommend enabling Microsoft’s Reject Direct Send setting, enforcing a strict DMARC policy, and quarantining any email that fails authenticity checks.
Final Words
Proactive defenses are no longer optional, especially when attackers are abusing trusted systems to bypass traditional security. By combining Microsoft 365 hardening measures with advanced authentication enforcement, organizations can drastically reduce their exposure to these tactics.
PowerDMARC’s DMARC management platform helps you implement and maintain strict authentication policies, monitor spoofing attempts in real time, and stop phishing attacks before they reach your users. Get in touch today to schedule a free demo or speak to an expert!
FAQs
What is Microsoft 365 Direct Send?
It’s a Microsoft 365 feature that lets devices and applications within an organization send email without complex authentication, intended for internal communication.
Why is it being abused by attackers?
The Direct Send feature allows unauthenticated message sending. Thereby attackers can make emails appear internal, bypassing many security checks.
How can organizations protect themselves?
Enable Microsoft’s Reject Direct Send setting, deploy header stamping, enforce a strict DMARC policy, and quarantine messages that fail authenticity checks.
Which industries are most at risk?
Recent activity has heavily targeted financial services, manufacturing, and healthcare organizations in the US.
Domain & Email Security Expert at PowerDMARC
Ahona is the Marketing Manager at PowerDMARC, with 5+ years of experience in writing about cybersecurity topics, specializing in domain and email security. Ahona holds a post-graduation degree in Journalism and Communications, solidifying her career in the security sector since 2019.
Latest posts by Ahona Rudra (see all)
- Microsoft 365’s “Direct Send” Feature Exploited in New Phishing Tactic - August 11, 2025
- Email Security Education: Why It Matters and How Anyone Can Get Started - August 7, 2025
- AI and Machine Learning in ISO 27001 Risk Management - August 7, 2025
