The reported threat involves attackers abusing the Microsoft 365 Direct Send feature to conduct internal phishing attacks within organizations. Microsoft 365 Direct Send is a legitimate email relay method that allows sending emails directly from devices or applications to recipients within the same organization without requiring SMTP authentication. Attackers exploit this feature by compromising or spoofing internal devices or accounts to send phishing emails that appear to originate from trusted internal sources. This technique bypasses many traditional email security controls such as SPF, DKIM, and DMARC, which primarily validate external email sources, making the phishing emails more convincing and harder to detect. The phishing emails can be used to harvest credentials, deliver malware, or conduct further lateral movement within the network. Although no specific affected versions or patches are mentioned, the threat leverages a design feature rather than a software vulnerability, making it a persistent risk for organizations using Microsoft 365 with Direct Send enabled. The discussion around this threat is minimal and primarily sourced from a Reddit InfoSec news post linking to an external article, indicating early awareness but no widespread exploitation reported yet.

For European organizations, this threat poses a significant risk to internal email security and user trust. Since the phishing emails appear to come from legitimate internal sources, employees are more likely to open malicious attachments or click on harmful links, increasing the risk of credential compromise, data breaches, and malware infections. This can lead to unauthorized access to sensitive data, disruption of business operations, and potential regulatory non-compliance under GDPR if personal data is exposed. The internal nature of the phishing also complicates detection and response, as traditional perimeter defenses may not flag these emails as suspicious. Organizations with large Microsoft 365 deployments and extensive internal email communications are particularly vulnerable. The threat could also facilitate advanced persistent threats (APTs) by enabling attackers to establish footholds and move laterally within networks undetected.

To mitigate this threat, European organizations should implement the following specific measures: 1) Restrict and monitor the use of Direct Send by limiting it to only necessary devices and applications, ensuring that only authorized systems can send emails via this method. 2) Enforce strict internal email authentication policies and consider implementing additional internal email filtering rules that detect anomalous sending patterns or unusual internal sender behaviors. 3) Deploy advanced threat protection solutions capable of analyzing internal emails for phishing indicators, including URL rewriting and attachment sandboxing. 4) Conduct regular user awareness training focused on recognizing internal phishing attempts and reporting suspicious emails. 5) Implement multi-factor authentication (MFA) across all user accounts to reduce the impact of credential compromise. 6) Monitor email logs and network traffic for signs of abuse or compromise related to Direct Send usage. 7) Review and tighten Microsoft 365 security configurations, including conditional access policies and device compliance checks, to reduce the risk of account or device compromise that could enable this attack vector.