Phishing Attack Exploits Microsoft 365 Direct Send, Impersonates Internal Users

A recent wave of sophisticated phishing attacks has successfully bypassed traditional email security measures by exploiting a lesser-known feature within Microsoft 365: the Direct Send functionality.

Security researchers from Varonis’ Managed Data Detection and Response (MDDR) Forensics team have uncovered a large-scale campaign targeting over 70 organizations, primarily based in the United States, with consistent activity since May 2025.

Attack Vector: Abusing Microsoft 365 Direct Send

Direct Send is a feature in Microsoft Exchange Online that allows internal devices, such as printers or applications, to send emails within a tenant without requiring authentication.

This is achieved using a smart host address following the format: tenantname.mail.protection.outlook.com. While intended for legitimate automation, the lack of authentication has made it an attractive target for threat actors.

Attackers can easily identify vulnerable organizations by guessing or scraping internal email addresses and tenant domains from public sources.

Once armed with this information, they use tools like PowerShell to send spoofed emails directly to the smart host. For example, a typical PowerShell command used in the campaign is:

textSend-MailMessage -SmtpServer company-com.mail.protection.outlook.com -To joe@company.com -From joe@company.com -Subject "New Missed Fax-msg" -Body "You have received a call! Click on the link to listen to it. Listen Now" -BodyAsHtml

Because the email appears to originate from within the tenant and is routed through Microsoft’s infrastructure, it can bypass standard security controls, including Microsoft’s own filters and third-party solutions that rely on sender reputation or authentication results.

Detection and Real-World Impact

The campaign’s emails are crafted to mimic legitimate internal communications, such as voicemail or fax notifications, and often include PDF attachments containing QR codes that redirect users to phishing sites.

Forensic analysis revealed that these emails originated from external IP addresses—such as 139.28.36.230—but were accepted and delivered internally via the smart host.

Key detection indicators include:

• Message Headers: External IPs in received headers, SPF/DKIM/DMARC failures for internal domains, and mismatched tenant IDs.
• Behavioral Signals: Emails sent from a user to themselves, use of PowerShell or command-line user agents, and unusual IP addresses (e.g., foreign geolocations).

In one incident, an alert was triggered by a Ukrainian IP address, an unexpected location for the affected tenant. Unlike typical geolocation-related incidents, there were no login events only suspicious email activity.

This pattern, combined with scripting behavior and spoofed internal messages, pointed directly to Direct Send abuse.

Prevention and Mitigation Strategies

To protect against this type of attack, organizations are advised to:

• Enable “Reject Direct Send” in the Exchange Admin Center.
• Implement a strict DMARC policy (p=reject).
• Flag unauthenticated internal emails for review or quarantine.
• Enforce “SPF hardfail” within Exchange Online Protection (EOP).
• Use anti-spoofing policies and educate users about the risks of QR code attachments (quishing).
• Enforce multi-factor authentication (MFA) and conditional access policies to mitigate credential theft.

Additionally, organizations should monitor for the following indicators of compromise (IOCs): IP addresses in the 139.28.X.X range, domains such as hxxps://voice-e091b.firebaseapp[.]com and hxxps://mv4lh.bsfff[.]es, and email subjects referencing fax or voicemail messages.

This campaign serves as a stark reminder that internal-looking emails are not always safe. Organizations must remain vigilant and implement robust monitoring and protection measures to defend against evolving phishing tactics.