How Attackers Abuse Microsoft 365’s Direct Send for Phishing

How Attackers Abuse Microsoft 365’s Direct Send for Phishing

Phishing attacks are no longer just external threats. In a concerning development, cybercriminals have started to abuse a legitimate Microsoft 365 feature (Direct Send) to deliver phishing emails from within the organization. This tactic bypasses traditional security filters and creates a dangerous level of trust with unsuspecting employees.

What Is Direct Send?

Direct Send is a Microsoft 365 feature that allows devices and applications (like printers or scanners) to send emails without authentication using your domain. It’s typically used for internal communication or system-generated alerts from multifunction devices.

Unfortunately, what was once a convenience for internal workflows has now become a tool for threat actors.

How Attackers Exploit It

Here’s the troubling part: attackers who gain access to an organization’s network or an unsecured endpoint can abuse Direct Send to send emails from internal addresses. These emails appear to come from trusted sources within the company (e.g., HR, IT, or even executives), making them much more likely to be opened or acted upon.

These phishing messages can contain:

  • Malicious links

  • Fake document requests

  • MFA reset prompts

  • Requests to change direct deposit info

  • Credential harvesting pages

Because the emails originate from the company’s own infrastructure, traditional email filters, anti-spam, or SPF/DKIM checks may not flag them as suspicious.

Why This Is Dangerous

Most phishing training and security controls are geared toward external threats emails from unfamiliar domains or suspicious addresses. When the email comes from what looks like “someone down the hall,” users are far more likely to engage.

This tactic also allows attackers to escalate privileges or move laterally across departments by gathering login information and increasing access to sensitive systems.

Who’s at Risk?

Organizations with:

  • Misconfigured Microsoft 365 tenants

  • Open SMTP relays

  • Lack of internal email monitoring

  • Poor MFA enforcement

  • No zero-trust architecture

…are especially vulnerable to this kind of attack.

How to Protect Your Organization

1. Review and Restrict Direct Send Use

  • Audit which devices and applications use Direct Send.

  • Disable it where unnecessary or move to authenticated SMTP relay options.

2. Implement Internal Email Scanning

  • Most email security tools focus on inbound mail only.

  • Use solutions that also monitor and scan internal emails for signs of compromise.

3. Apply Zero Trust Principles

  • Assume that internal traffic can be malicious.

  • Enforce conditional access policies and strict authentication.

4. Employee Training

  • Update security awareness training to include internal phishing scenarios.

  • Encourage employees to verify unusual requests even from known internal senders.

5. Enable Logging and Monitoring

  • Regularly monitor email logs and device activity.

  • Alert on unusual volume or patterns in internal email activity.

6. Harden Authentication and MFA

  • Ensure that all Microsoft 365 access points are covered by robust multi-factor authentication.

  • Regularly rotate service account credentials.

Final Thoughts

This Microsoft 365 phishing trend highlights a shift in attacker strategies from breaching the perimeter to abusing internal systems and trust. Microsoft 365 is a powerful platform, but its features need to be carefully managed to prevent abuse.

If your organization uses Microsoft 365, now is the time to review your email configuration, monitor internal traffic, and remind staff that even “internal” doesn’t always mean safe.

Need help auditing your Microsoft 365 setup or strengthening your cloud security posture? Contact us today to schedule a security review.