ProArch SOC has observed an increase in phishing campaigns that exploit spoofed sender identities and Microsoft 365 Direct Send to deliver messages that appear internal or self-originated.
What Is Microsoft 365 Direct Send and Why Is It Being Abused?
What is Direct Send?
Direct Send is a Microsoft 365/Exchange Online mail flow option that allows devices and applications to send email directly to mailboxes in your organization without using SMTP authentication. It is commonly configured to use the tenant’s Exchange Online mail endpoint over port 25 and is limited to delivering messages to internal recipients.
Why is Direct Send being abused?
Because Direct Send does not require authentication and the routing endpoint is predictable, threat actors can misuse it when tenant controls are weak or mail flow restrictions are not in place.
- No authentication is required for submission
- Mail routing endpoints are easy to identify
- Attackers can send messages that appear to come from internal users
- Messages can be delivered directly to internal mailboxes
- Depending on the environment, this can reduce the effectiveness of upstream email security controls
ProArch SOC Observations
SOC observed multiple phishing campaigns where emails were faked to appear as internal or self-originated messages.
- In several cases, high-volume email bursts with identical subjects were delivered across multiple users.
- Subjects frequently included urgency-driven phishing themes such as:
- “Action Required”
- “Mailbox Login / Password Expiry”
- “Service Termination Alert”
- “HR Documents / Agreement Pending”
- While most emails were quarantined by Microsoft Defender for Office 365 (MDO), a subset reached user inboxes.
- Emails contained malicious URLs which redirected to credential harvesting pages.
- Attack infrastructure leverages clean or low-reputation hosting providers and rotating sender IPs and domains.
- In several environments, delivery patterns were consistent with Direct Send abuse, enabling emails to bypass secure email gateways and appear as internal/intra-org messages.
- Early SOC response included IOC blocking and email purge, and where user interaction was identified, password resets and session revocation to prevent potential account compromise.
How Direct Send Phishing Works
Direct Send is commonly used by legitimate internal systems such as
- Printers and scanners sending scanned documents by email
- Line-of-business applications sending alerts or status notifications
- Internal systems sending automated messages to employees or shared mailboxes
Attackers use techniques like Self-Spoofing and Internal Impersonation to craft emails that
- Appear to originate from the recipient’s own email address
- Mimic internal users, HR, or IT communications
- Bypass basic trust assumptions users have with internal-looking emails
- These emails exploit gaps in email authentication enforcement and user awareness
High-Volume Delivery to Increase Success Rate
- Campaigns send dozens of emails per user to increase visibility and pressure
- Randomized infrastructure and rotating IPs reduce block effectiveness
- Some emails bypass initial detection, reach user inboxes, and are quarantined only afterward
Credential Harvesting via Redirect Chains
- Embedded URLs lead to phishing pages hosted on:
- Compromised websites
- Newly registered domains
- Redirect chains are used to bypass URL scanning and detonation engines
- Users are prompted to enter credentials using urgency-driven scenarios
While security controls such as Microsoft Defender for Office 365 successfully detect most of these attacks, attackers are leveraging evolving infrastructure, impersonation techniques, and mail flow gaps to bypass filtering and increase delivery success rates.
Risks Introduced by Microsoft 365 Direct Send Abuse
- Credential Theft: Users may unknowingly submit M365 credentials
- Account Takeover: Enables mailbox compromise and lateral phishing
- Business Email Compromise (BEC): Attackers can pivot to financial fraud scenarios
- Security Control Bypass: Abuse of Direct Send enables evasion of traditional email filtering controls
- User Trust Exploitation: Self-spoofing reduces skepticism toward malicious emails
- Operational Disruption: High-volume campaigns create confusion
Recommendations
Immediate Actions
- Notify users of active spoofed phishing campaigns and reinforce vigilance
- Instruct users not to click links, download attachments, or scan QR codes in suspicious emails
- Revoke active sessions and reset passwords for users who interacted with phishing content
- Hard delete phishing emails from inboxes and quarantine similar messages
Short-Term Actions
- Enable and tune Anti-Phishing and Anti-Spoofing policies in Microsoft Defender for Office 365
- Configure Spoof Intelligence and review spoofed sender insights regularly
- Review and restrict Direct Send usage to trusted IPs and authorized systems only.
- Block identified sender IPs, domains, and redirect URLs across email and endpoint controls
Mid / Long-Term Actions
- Enforce SPF, DKIM, and DMARC with strict policies (reject/quarantine)
- Implement user and domain impersonation protection for critical users and domains
- Disable Direct Send where not required or replace with authenticated mail flow mechanisms
- Strengthen Conditional Access policies to reduce impact of credential compromise
- Conduct regular phishing simulations focusing on spoofed/internal email scenarios
- Integrate email, identity, and SIEM telemetry (e.g., Microsoft Sentinel) for correlation
What ProArch Is Doing
ProArch is taking proactive steps to help managed security clients reduce exposure to Direct Send abuse and strengthen email security against evolving phishing threats.
- Email Security Evaluation: Auditing managed security clients’ Microsoft Defender for Office 365 policies against recommended configurations to identify enhancement opportunities.
- Consultative Follow-Up: Security consultants will provide follow-up communication individually where specific hardening or remediation actions are recommended.
- New Detection Rules: Deploying detections for internal spoofing patterns and self-sender anomalies associated with Direct Send abuse.
- Proactive Threat Hunting: Identifying Direct Send abuse patterns and detecting anomalous mail flow behavior across monitored environments.
- Response and Remediation: Performing alert triage, IOC blocking, containment actions, email purge, and remediation support where phishing activity is identified.
- Continuous Monitoring: Monitoring for credential harvesting indicators and post-phishing account activity to support early detection of follow-on compromise.
Assess your M365 security posture with ProArch
Learn More
Strengthening Email Security
Phishing attacks are increasingly leveraging gaps in internal email trust and infrastructure like Direct Send.
Self-spoofed emails boost user trust, making credential theft and initial access easier. Organisations should use layered defences, including strong authentication and continuous monitoring.
ProArch can help you counter these threats with policy reviews, detection, threat hunting, and incident response. If you would like ProArch to assess your exposure to Direct Send abuse or strengthen your Microsoft 365 email security posture, please contact your ProArch security consultant.