Exploiting Microsoft 365s Direct Send Feature for Phishing Attacks on Internal Users

The Varonis Managed Data Detection and Response (MDDR) team has uncovered a phishing campaign that exploits a lesser-known Microsoft 365 feature called Direct Send. This tactic is used to evade detection by email security services and steal user credentials.

Direct Send is a Microsoft 365 feature that allows local devices, applications, or cloud services to send emails via the tenant’s smart host, making it appear as though they are coming from the organization’s domain. It’s intended for use by printers, scanners, and other devices that need to send messages on behalf of the company.

However, this feature poses a significant security risk as it does not require any authentication, enabling remote users to send internal emails from the organization’s domain.

Microsoft advises using Direct Send only for advanced customers, as its security relies on proper configuration of Microsoft 365 and secure management of the smart host.

“We recommend Direct Send solely for advanced clients who are prepared to handle mail server administration responsibilities. You must be familiar with configuration and adhering to best practices for sending email over the Internet. When set up and managed correctly, Direct Send can be a secure and viable option. However, customers risk implementing incorrect settings that could disrupt email flow or jeopardize the security of communications,” explained the company.

The phishing campaign targets over 70 organizations across various sectors, with 95% of the victims located in the United States, having started in May 2025.

“The victims span a wide range of industries, but more than 90% of the identified targets operate in financial services, construction, engineering, manufacturing, healthcare, and insurance,” noted Joseph Avanzato, Varonis’ security group leader.

The attacks utilize PowerShell through the target company’s smart host (company-com.mail.protection.outlook.com), allowing the attacker to send internal messages from external IP addresses.

An example of a PowerShell command that facilitates email sending via Direct Send is as follows:

«`powershell
Send‑MailMessage -SmtpServer company‑com.mail.protection.outlook.com -To joe@company.com -From joe@company.com -Subject «New Missed Fax-msg» -Body «You have got a call! Click on the link to listen to it. Listen Now» -BodyAsHtml
«`

This method is effective because the use of Direct Send with a smart host does not require authentication, treating the sender as internal. This allows attackers to bypass SPF, DKIM, DMARC, and other filtering rules.

The email campaigns mimic voicemail or fax notifications with subject lines such as «Caller Left VM Message.» The emails include PDF attachments titled «Fax-msg,» «Caller left VM Message,» «Play_VM-Now,» or «Listen.» Uniquely, this campaign does not contain links to phishing pages within the PDFs.

Instead, the documents instruct victims to scan a QR code with their smartphone’s camera to listen to the voicemail. The PDFs are also branded with the company logo to enhance their legitimacy. Scanning the QR code and opening the link directs users to a phishing site displaying a fake Microsoft login form intended to capture credentials.

To mitigate this threat, Varonis recommends enabling the “Reject Direct Send” option in the Exchange Admin Center.

Varonis also suggests implementing a strict DMARC policy (p=reject), marking unauthenticated internal messages for review or quarantine, applying a strict SPF fail in Exchange Online Protection, enabling Anti-Spoofing policies, and training employees to recognize phishing attempts via QR codes.

Recently, Microsoft announced it will begin updating default security settings for all Microsoft 365 clients in July to block access to SharePoint, OneDrive, and Office files through outdated authentication protocols. After deploying updates along with the FPRPC (FrontPage Remote Procedure Call) protocol for accessing Office files, Microsoft 365 will automatically block outdated browser authentication for SharePoint and OneDrive using RPS (Relying Party Suite).