The threat involves malicious actors exploiting the Microsoft 365 Direct Send feature to conduct phishing campaigns that bypass traditional perimeter email security controls. Direct Send is designed to allow organizations to send emails from internal devices or applications directly through Microsoft 365 infrastructure without requiring SMTP authentication credentials. Attackers leverage this by identifying target organizational domains and valid recipient email addresses, enabling them to craft emails that appear to originate from internal users or trusted sources within the organization. This technique does not require stolen credentials, only knowledge of the target domain and recipient addresses, making it accessible to a wide range of threat actors. The attack process typically involves reconnaissance to identify organizational domains and valid email addresses, followed by the creation of convincing phishing emails that often include business-themed lures. These emails frequently contain PDF or DOCX attachments embedded with QR codes or obfuscated HTML that redirect victims to phishing websites designed to harvest credentials or deliver malware. Because the emails are routed through Microsoft 365's trusted infrastructure, they can evade many traditional email security solutions that rely on external reputation or sender verification checks. Recent campaigns exploiting this technique have successfully harvested credentials and established footholds within targeted environments, facilitating further compromise such as business email compromise (BEC) and lateral movement. The abuse of Direct Send represents a critical gap in email security defenses, especially for organizations heavily reliant on Microsoft 365 for email communications. The threat is compounded by the use of automated tools to generate highly convincing phishing content, increasing the likelihood of victim interaction and successful exploitation.

For European organizations, this threat poses significant risks to confidentiality, integrity, and operational continuity. Credential theft via phishing can lead to unauthorized access to sensitive corporate data, intellectual property, and personal data protected under GDPR, potentially resulting in regulatory penalties and reputational damage. The ability to bypass perimeter defenses increases the likelihood of successful phishing attacks, undermining trust in internal communications and complicating incident detection and response. Furthermore, compromised credentials can enable attackers to conduct business email compromise, financial fraud, and lateral movement within networks, escalating the severity of breaches. Given the widespread adoption of Microsoft 365 across Europe, the scale of potential impact is substantial, affecting organizations of all sizes and sectors, including finance, healthcare, government, and critical infrastructure.

1. Implement strict SPF, DKIM, and DMARC policies with enforcement to reduce spoofing risks and improve email authentication. 2. Monitor and restrict the use of Microsoft 365 Direct Send by limiting allowed IP addresses and devices that can send emails via this method. 3. Employ advanced email security solutions that analyze email content and attachments for phishing indicators, including sandboxing of attachments and URL rewriting. 4. Enable multi-factor authentication (MFA) across all user accounts to mitigate the impact of credential theft. 5. Conduct regular user awareness training focused on recognizing phishing attempts, especially those leveraging internal-looking emails and attachments with QR codes or obfuscated content. 6. Utilize Microsoft Defender for Office 365 features such as Safe Links and Safe Attachments to detect and block malicious content. 7. Implement continuous monitoring and anomaly detection for unusual email sending patterns or login behaviors indicative of compromise. 8. Regularly review and audit email flow rules and connectors in Microsoft 365 to identify and close any misconfigurations that could be abused. 9. Establish incident response playbooks specifically addressing phishing and credential theft scenarios involving Microsoft 365. 10. Collaborate with threat intelligence providers to stay updated on emerging phishing campaigns exploiting Direct Send.