Microsoft 365 Exchange Online’s Direct Send feature, originally designed to enable legacy devices and applications to send emails without authentication, has become an exploitable pathway for cybercriminals conducting sophisticated phishing and business email compromise attacks.
The feature allows multifunction printers, scanners, and older line-of-business applications to transmit messages by bypassing rigorous authentication and security checks, creating an operational convenience that adversaries have weaponized to circumvent standard content filters and domain verification protocols.
Recent investigations reveal a surge in malicious campaigns exploiting Direct Send to deliver fraudulent messages that appear to originate from trusted internal sources.
Threat actors emulate legitimate device traffic and send unauthenticated emails impersonating executives, IT help desks, and internal users.
These campaigns frequently employ business-themed social engineering lures, including task approvals, voicemail notifications, and payment prompts designed to manipulate recipients into divulging credentials or sensitive information.
Cisco Talos analysts identified increased activity by malicious actors leveraging Direct Send as part of coordinated phishing campaigns and BEC attacks.
Security researchers from multiple organizations, including Varonis, Abnormal Security, Ironscales, Proofpoint, Barracuda, and Mimecast, have independently confirmed similar findings, indicating that adversaries have actively targeted corporations using Direct Send in recent months.
Direct Send Exploitation
The attacks exploit the feature’s ability to inherit implicit trust from Exchange infrastructure, decreasing payload scrutiny and enabling messages to bypass critical sender verification mechanisms.
The exploitation technique centers on circumventing three fundamental email authentication protocols: DomainKeys-Identified Mail (DKIM), Sender Policy Framework (SPF), and Domain-based Message Authentication, Reporting and Conformance (DMARC).
,%20fake%20ACH%20payment%20notice%20(right)%20(Source%20-%20Cisco%20Talos).webp)
Under normal circumstances, these protocols verify message authenticity through cryptographic signatures, authorized IP ranges, and policy enforcement.
However, Direct Send prevents this inspection, allowing spoofed messages to reach recipients unchallenged.
Attackers have embedded QR codes within PDFs and crafted empty-body messages with obfuscated attachments, successfully evading traditional content filters and directing victims to credential harvesting pages.
Microsoft has responded by introducing a Public Preview of the RejectDirectSend control and announcing future enhancements, including Direct Send-specific usage reports and a default-off configuration for new tenants.
Organizations can mitigate risks by disabling Direct Send where feasible using the command Set-OrganizationConfig -RejectDirectSend $true after validating legitimate mail flows, migrating devices to authenticated SMTP submission on port 587, and implementing tightly scoped IP restrictions for devices unable to authenticate properly.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
.webp?w=100&resize=100,70&ssl=1 "Top 10 Best Fraud Prevention Companies in 2025")
