A recent wave of sophisticated phishing attacks has successfully bypassed traditional email security measures by exploiting a lesser-known feature within Microsoft 365: the Direct Send functionality.
Security researchers from Varonis’ Managed Data Detection and Response (MDDR) Forensics team have uncovered a large-scale campaign targeting over 70 organizations, primarily based in the United States, with consistent activity since May 2025.
Direct Send is a feature in Microsoft Exchange Online that allows internal devices, such as printers or applications, to send emails within a tenant without requiring authentication.
This is achieved using a smart host address following the format: tenantname.mail.protection.outlook.com. While intended for legitimate automation, the lack of authentication has made it an attractive target for threat actors.
Attackers can easily identify vulnerable organizations by guessing or scraping internal email addresses and tenant domains from public sources.
Once armed with this information, they use tools like PowerShell to send spoofed emails directly to the smart host. For example, a typical PowerShell command used in the campaign is:
textSend-MailMessage -SmtpServer company-com.mail.protection.outlook.com -To joe@company.com -From joe@company.com -Subject "New Missed Fax-msg" -Body "You have received a call! Click on the link to listen to it. Listen Now" -BodyAsHtml
Because the email appears to originate from within the tenant and is routed through Microsoft’s infrastructure, it can bypass standard security controls, including Microsoft’s own filters and third-party solutions that rely on sender reputation or authentication results.
The campaign’s emails are crafted to mimic legitimate internal communications, such as voicemail or fax notifications, and often include PDF attachments containing QR codes that redirect users to phishing sites.
Forensic analysis revealed that these emails originated from external IP addresses—such as 139.28.36.230—but were accepted and delivered internally via the smart host.
Key detection indicators include:
In one incident, an alert was triggered by a Ukrainian IP address, an unexpected location for the affected tenant. Unlike typical geolocation-related incidents, there were no login events only suspicious email activity.
This pattern, combined with scripting behavior and spoofed internal messages, pointed directly to Direct Send abuse.
To protect against this type of attack, organizations are advised to:
Additionally, organizations should monitor for the following indicators of compromise (IOCs): IP addresses in the 139.28.X.X range, domains such as hxxps://voice-e091b.firebaseapp[.]com and hxxps://mv4lh.bsfff[.]es, and email subjects referencing fax or voicemail messages.
This campaign serves as a stark reminder that internal-looking emails are not always safe. Organizations must remain vigilant and implement robust monitoring and protection measures to defend against evolving phishing tactics.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…