Ongoing Campaign Abuses Microsoft 365’s Direct Send to Deliver Phishing Emails
|Reference: [Ongoing Campaign Abuses Microsoft 365’s Direct Send to Deliver Phishing Emails](https://www.varonis.com/blog/direct-send-exploit)| |:-| **Key Points:** * **Phishing Campaign:** Varonis' MDDR Forensics team uncovered a phishing campaign exploiting Microsoft 365's Direct Send feature. * **Direct Send Feature:** Allows internal devices to send emails without authentication, which attackers abuse to spoof internal users. * **Detection:** Look for external IPs in message headers, failures in SPF, DKIM, or DMARC, and unusual email behaviors. * **Prevention:** Enable "Reject Direct Send," implement strict DMARC policies, and educate users on risks. For technical details, please see more in reference (above). Could anyone share samples or real-world experiences about this *(for education and security monitoring)*?
AI Analysis
Technical Summary
This threat involves an ongoing phishing campaign that exploits Microsoft 365's Direct Send feature to deliver malicious emails. The Direct Send feature is designed to allow internal devices, such as printers or multifunction devices, to send emails through Microsoft 365 without requiring authentication. Attackers abuse this functionality by spoofing internal users' email addresses to send phishing emails that appear legitimate and originate from within the organization. This technique bypasses common email authentication mechanisms like SPF, DKIM, and DMARC because the emails are sent directly through Microsoft 365's infrastructure, making detection more challenging. The campaign was uncovered by Varonis' MDDR Forensics team, highlighting the abuse of this feature to facilitate phishing attacks. Detection involves scrutinizing email headers for external IP addresses, failures in SPF, DKIM, or DMARC checks, and identifying unusual email sending patterns. Prevention recommendations include disabling or rejecting Direct Send where possible, enforcing strict DMARC policies to prevent spoofing, and educating users about the risks of phishing emails that appear to come from internal sources. This attack vector leverages a legitimate feature in Microsoft 365, making it a sophisticated method to evade traditional email security controls and increase the likelihood of successful phishing attempts.
Potential Impact
For European organizations, this threat poses significant risks to confidentiality, integrity, and operational continuity. Phishing emails that appear to come from trusted internal sources can lead to credential theft, unauthorized access to sensitive data, and potential deployment of malware or ransomware. Given the widespread adoption of Microsoft 365 across Europe, many organizations are vulnerable to this exploitation. Successful phishing attacks can result in data breaches involving personal data protected under GDPR, leading to regulatory penalties and reputational damage. Additionally, compromised internal accounts can be leveraged for lateral movement within networks, escalating the severity of the breach. The ability to bypass standard email authentication mechanisms increases the difficulty of detection and response, potentially allowing attackers to maintain persistence and conduct prolonged campaigns. This threat also undermines user trust in internal communications, complicating incident response and user awareness efforts.
Mitigation Recommendations
European organizations should take a multi-layered approach to mitigate this threat. First, review and restrict the use of Microsoft 365's Direct Send feature; where possible, disable it or configure mail flow rules to reject emails sent via Direct Send that do not originate from authorized devices or IP addresses. Implement and enforce strict DMARC policies with a 'reject' policy to prevent spoofed emails from being accepted. Regularly monitor email headers for anomalies such as unexpected external IP addresses or authentication failures. Enhance email filtering solutions to detect and quarantine suspicious messages that exploit this feature. Conduct targeted user awareness training focused on recognizing phishing emails that appear to come from internal sources, emphasizing verification of unexpected requests even if they seem legitimate. Additionally, implement multi-factor authentication (MFA) across all accounts to reduce the impact of credential compromise. Finally, maintain up-to-date incident response plans that include procedures for handling phishing campaigns exploiting internal email spoofing.
Affected Countries
United Kingdom, Germany, France, Netherlands, Italy, Spain, Sweden, Belgium, Ireland, Poland
Ongoing Campaign Abuses Microsoft 365’s Direct Send to Deliver Phishing Emails
Description
|Reference: [Ongoing Campaign Abuses Microsoft 365’s Direct Send to Deliver Phishing Emails](https://www.varonis.com/blog/direct-send-exploit)| |:-| **Key Points:** * **Phishing Campaign:** Varonis' MDDR Forensics team uncovered a phishing campaign exploiting Microsoft 365's Direct Send feature. * **Direct Send Feature:** Allows internal devices to send emails without authentication, which attackers abuse to spoof internal users. * **Detection:** Look for external IPs in message headers, failures in SPF, DKIM, or DMARC, and unusual email behaviors. * **Prevention:** Enable "Reject Direct Send," implement strict DMARC policies, and educate users on risks. For technical details, please see more in reference (above). Could anyone share samples or real-world experiences about this *(for education and security monitoring)*?
AI-Powered Analysis
Technical Analysis
This threat involves an ongoing phishing campaign that exploits Microsoft 365's Direct Send feature to deliver malicious emails. The Direct Send feature is designed to allow internal devices, such as printers or multifunction devices, to send emails through Microsoft 365 without requiring authentication. Attackers abuse this functionality by spoofing internal users' email addresses to send phishing emails that appear legitimate and originate from within the organization. This technique bypasses common email authentication mechanisms like SPF, DKIM, and DMARC because the emails are sent directly through Microsoft 365's infrastructure, making detection more challenging. The campaign was uncovered by Varonis' MDDR Forensics team, highlighting the abuse of this feature to facilitate phishing attacks. Detection involves scrutinizing email headers for external IP addresses, failures in SPF, DKIM, or DMARC checks, and identifying unusual email sending patterns. Prevention recommendations include disabling or rejecting Direct Send where possible, enforcing strict DMARC policies to prevent spoofing, and educating users about the risks of phishing emails that appear to come from internal sources. This attack vector leverages a legitimate feature in Microsoft 365, making it a sophisticated method to evade traditional email security controls and increase the likelihood of successful phishing attempts.
Potential Impact
For European organizations, this threat poses significant risks to confidentiality, integrity, and operational continuity. Phishing emails that appear to come from trusted internal sources can lead to credential theft, unauthorized access to sensitive data, and potential deployment of malware or ransomware. Given the widespread adoption of Microsoft 365 across Europe, many organizations are vulnerable to this exploitation. Successful phishing attacks can result in data breaches involving personal data protected under GDPR, leading to regulatory penalties and reputational damage. Additionally, compromised internal accounts can be leveraged for lateral movement within networks, escalating the severity of the breach. The ability to bypass standard email authentication mechanisms increases the difficulty of detection and response, potentially allowing attackers to maintain persistence and conduct prolonged campaigns. This threat also undermines user trust in internal communications, complicating incident response and user awareness efforts.
Mitigation Recommendations
European organizations should take a multi-layered approach to mitigate this threat. First, review and restrict the use of Microsoft 365's Direct Send feature; where possible, disable it or configure mail flow rules to reject emails sent via Direct Send that do not originate from authorized devices or IP addresses. Implement and enforce strict DMARC policies with a 'reject' policy to prevent spoofed emails from being accepted. Regularly monitor email headers for anomalies such as unexpected external IP addresses or authentication failures. Enhance email filtering solutions to detect and quarantine suspicious messages that exploit this feature. Conduct targeted user awareness training focused on recognizing phishing emails that appear to come from internal sources, emphasizing verification of unexpected requests even if they seem legitimate. Additionally, implement multi-factor authentication (MFA) across all accounts to reduce the impact of credential compromise. Finally, maintain up-to-date incident response plans that include procedures for handling phishing campaigns exploiting internal email spoofing.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Source Type
- Subreddit
- netsec
- Reddit Score
- 1
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Domain
- varonis.com
- Newsworthiness Assessment
- {"score":39.1,"reasons":["external_link","newsworthy_keywords:exploit,campaign,phishing campaign","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":["exploit","campaign","phishing campaign","ttps"],"foundNonNewsworthy":[]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 685e22f5ca1063fb874f4897
Added to database: 6/27/2025, 4:49:57 AM
Last enriched: 6/27/2025, 4:50:08 AM
Last updated: 8/16/2025, 11:19:15 PM
Views: 41
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-53705: CWE-787 Out-of-bounds Write in Ashlar-Vellum Cobalt
HighCVE-2025-41392: CWE-125 Out-of-bounds Read in Ashlar-Vellum Cobalt
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.