Microsoft 365’s “Direct Send” Feature Exploited in New Phishing Tactic

Cybercriminals are exploiting Microsoft 365’s Direct Send feature to deliver highly convincing phishing emails that appear to come from trusted internal users, bypassing standard email authentication checks such as SPF, DKIM, and DMARC.

The exploit was documented by researchers at StrongestLayer after observing attackers successfully target one of their customers.

How Does the Microsoft Direct Send Phishing Attack Work

The attack abuses a legitimate function designed to help printers, scanners, and internal systems send messages without complex authentication. By impersonating internal accounts, attackers sidestep many policy-based checks that typically screen external messages, successfully evading both Microsoft Defender and third-party secure email gateways. This affects Microsoft 365/Exchange Online deployments in particular; even environments where users run Office 2024 as their desktop suite can be impacted if Direct Send remains enabled at the mail layer.

Once the targeted organization’s internal communication trust is exploited, attackers can deliver a range of malicious content, from QR code-based payloads to HTML attachments, that harvest credentials without triggering usual defenses. In one documented case, phishing emails originated from IP addresses in Ukraine and France but were still processed as trusted traffic.

Preventative Measures

Microsoft has introduced options for organizations to apply custom header stamping and quarantine policies for messages falsely claiming to be internal. Security experts also recommend enabling Microsoft’s Reject Direct Send setting, enforcing a strict DMARC policy, and quarantining any email that fails authenticity checks.

Final Words

Proactive defenses are no longer optional, especially when attackers are abusing trusted systems to bypass traditional security. By combining Microsoft 365 hardening measures with advanced authentication enforcement, organizations can drastically reduce their exposure to these tactics.

PowerDMARC’s DMARC management platform helps you implement and maintain strict authentication policies, monitor spoofing attempts in real time, and stop phishing attacks before they reach your users. Get in touch today to schedule a free demo or speak to an expert! 

FAQs

What is Microsoft 365 Direct Send?
It’s a Microsoft 365 feature that lets devices and applications within an organization send email without complex authentication, intended for internal communication.

Why is it being abused by attackers?
The Direct Send feature allows unauthenticated message sending. Thereby attackers can make emails appear internal, bypassing many security checks.

How can organizations protect themselves?
Enable Microsoft’s Reject Direct Send setting, deploy header stamping, enforce a strict DMARC policy, and quarantine messages that fail authenticity checks.

Which industries are most at risk?
Recent activity has heavily targeted financial services, manufacturing, and healthcare organizations in the US.

• About
• Latest Posts

Ahona Rudra

Domain & Email Security Expert at PowerDMARC

Ahona is the Marketing Manager at PowerDMARC, with 5+ years of experience in writing about cybersecurity topics, specializing in domain and email security. Ahona holds a post-graduation degree in Journalism and Communications, solidifying her career in the security sector since 2019.

Latest posts by Ahona Rudra (see all)

• What is DANE? DNS-Based Authentication of Named Entities Explained (2026) - April 20, 2026
• VPN Security 101: Best Practices for Protecting Your Privacy - April 14, 2026
• MXtoolbox Review: Features, User Experiences, Pros & Cons (2026) - April 14, 2026