This threat involves an ongoing phishing campaign that exploits Microsoft 365's Direct Send feature to deliver malicious emails. The Direct Send feature is designed to allow internal devices, such as printers or multifunction devices, to send emails through Microsoft 365 without requiring authentication. Attackers abuse this functionality by spoofing internal users' email addresses to send phishing emails that appear legitimate and originate from within the organization. This technique bypasses common email authentication mechanisms like SPF, DKIM, and DMARC because the emails are sent directly through Microsoft 365's infrastructure, making detection more challenging. The campaign was uncovered by Varonis' MDDR Forensics team, highlighting the abuse of this feature to facilitate phishing attacks. Detection involves scrutinizing email headers for external IP addresses, failures in SPF, DKIM, or DMARC checks, and identifying unusual email sending patterns. Prevention recommendations include disabling or rejecting Direct Send where possible, enforcing strict DMARC policies to prevent spoofing, and educating users about the risks of phishing emails that appear to come from internal sources. This attack vector leverages a legitimate feature in Microsoft 365, making it a sophisticated method to evade traditional email security controls and increase the likelihood of successful phishing attempts.

For European organizations, this threat poses significant risks to confidentiality, integrity, and operational continuity. Phishing emails that appear to come from trusted internal sources can lead to credential theft, unauthorized access to sensitive data, and potential deployment of malware or ransomware. Given the widespread adoption of Microsoft 365 across Europe, many organizations are vulnerable to this exploitation. Successful phishing attacks can result in data breaches involving personal data protected under GDPR, leading to regulatory penalties and reputational damage. Additionally, compromised internal accounts can be leveraged for lateral movement within networks, escalating the severity of the breach. The ability to bypass standard email authentication mechanisms increases the difficulty of detection and response, potentially allowing attackers to maintain persistence and conduct prolonged campaigns. This threat also undermines user trust in internal communications, complicating incident response and user awareness efforts.

European organizations should take a multi-layered approach to mitigate this threat. First, review and restrict the use of Microsoft 365's Direct Send feature; where possible, disable it or configure mail flow rules to reject emails sent via Direct Send that do not originate from authorized devices or IP addresses. Implement and enforce strict DMARC policies with a 'reject' policy to prevent spoofed emails from being accepted. Regularly monitor email headers for anomalies such as unexpected external IP addresses or authentication failures. Enhance email filtering solutions to detect and quarantine suspicious messages that exploit this feature. Conduct targeted user awareness training focused on recognizing phishing emails that appear to come from internal sources, emphasizing verification of unexpected requests even if they seem legitimate. Additionally, implement multi-factor authentication (MFA) across all accounts to reduce the impact of credential compromise. Finally, maintain up-to-date incident response plans that include procedures for handling phishing campaigns exploiting internal email spoofing.