Listen to this Post
A New Threat Hiding in Plain Sight
In a concerning revelation for the cybersecurity world, a sophisticated phishing campaign has been uncovered by Varonis’ Managed Data Detection and Response (MDDR) Forensics team. Active since May 2025, this campaign targets over 70 organizations by manipulating the Microsoft 365 Direct Send feature — a legitimate email function meant for internal communications. The attackers have twisted this feature to bypass traditional authentication and launch convincing phishing emails that appear to come from inside the company. By sending emails that look internal but are actually external threats, the campaign highlights how overlooked system functionalities can become major security gaps.
Hidden in the Infrastructure: How the Attack Works
The Microsoft 365 Direct Send feature allows devices like printers or business applications to send internal emails without needing authentication. This is useful for legitimate tasks, but its design leaves the door open to abuse. Threat actors have seized on this gap. They identify organizations through the predictable structure of Microsoft’s email routing format (e.g., tenantname.mail.protection.outlook.com) and craft emails that appear to be from trusted internal users.
By using PowerShell scripts, attackers send phishing emails routed through Microsoft’s own infrastructure, bypassing most email security filters. The messages mimic typical office notifications such as voicemails or faxes, often carrying PDF attachments with embedded QR codes. These QR codes lead to fake Microsoft 365 login pages designed to harvest user credentials.
What makes this attack particularly dangerous is how it sidesteps common security checks. Although the phishing emails fail SPF, DKIM, and DMARC authentication protocols, they are still delivered internally due to how Direct Send handles internal-to-internal traffic. This allows attackers to appear as insiders without ever breaching the organization’s actual systems.
Investigations have revealed that these emails often exhibit certain telltale signs: they are sent from a user to themselves, originate from strange IP addresses, and contain suspicious attachments. Despite these clues, traditional filters miss them because they trust Microsoft’s internal infrastructure.
Security professionals are urged to take immediate action. Recommendations include enabling the “Reject Direct Send” feature in the Exchange Admin Center, enforcing strict DMARC policies, quarantining unauthenticated internal emails, and educating staff on the dangers of QR code phishing, also known as “quishing.” Additionally, Direct Send should be restricted to specific IP addresses whenever possible.
The abuse of Microsoft 365 Direct Send stands as a critical reminder that convenience can become a liability without proactive oversight. Organizations must rethink their trust in built-in tools, bolster internal detection strategies, and continually educate their workforce to guard against increasingly subtle threats.
What Undercode Say:
The Rise of Stealth Tactics in Enterprise Attacks
What makes this phishing campaign so concerning isn’t just the technical execution, but the psychological precision behind it. Instead of brute force or malware, the attackers rely on trust. By exploiting a legitimate Microsoft feature, they sidestep external reputation checks and appear as part of the internal ecosystem — a move that deeply undermines conventional security thinking.
Internal Doesn’t Mean Safe Anymore
Traditionally, email security has placed a lot of faith in internal traffic. Most filters are calibrated to scrutinize messages from outside, leaving internal-looking emails with a smoother path to users’ inboxes. This attack cleverly blurs that boundary. It forces IT teams to reevaluate assumptions about “safe” sources, showing that internal spoofing is not just possible, but also dangerously effective.
Infrastructure as an Attack Vector
Microsoft’s Direct Send functionality was never meant to be a risk. It was designed for efficiency. But its lack of sender verification turns it into an accidental weapon. This isn’t a bug — it’s a misuse of a feature. That subtle distinction makes mitigation much harder, since it’s a configuration issue, not a vulnerability in the traditional sense.
A Weak Link in Defense Chains
Because Direct Send routes messages through Microsoft’s own trusted infrastructure, third-party security tools that rely on sender reputation or basic authentication signals are essentially blind. Even Microsoft’s own defenses fail here, since they see traffic as internal, not suspicious. That’s what makes this campaign so successful — it lives in the gray zone between internal functionality and external abuse.
QR Code Phishing: A Rising Threat
This campaign also highlights the growing trend of QR-based phishing. Known as “quishing,” it bypasses filters by embedding the malicious payload in images instead of links. Since users scan these QR codes with their phones, they often bypass desktop protections entirely, entering credentials directly into fake sites. As businesses promote QR codes for convenience, attackers are capitalizing on user familiarity to deceive them.
Technical Simplicity, Strategic Genius
The attack doesn’t involve zero-days or advanced exploits. It uses basic scripting, public information (such as employee email formats), and predictable routing formats. This shows that sophisticated cybercrime doesn’t always require advanced tools — just clever use of what’s already available.
Recommendations Aren’t Optional Anymore
Security professionals must now consider internal traffic as potentially hostile. Enabling “Reject Direct Send” is no longer optional. Organizations need to treat these recommendations not as best practices, but as minimum requirements. Blocking unauthenticated internal traffic, reviewing tenant settings, and analyzing PowerShell command patterns are now essential tasks for security operations.
Educating the Human Layer
Finally, the weakest link remains human behavior. Even the best filters fail when users voluntarily scan a phishing QR code and enter their credentials. Awareness campaigns, phishing simulations, and clear reporting paths are necessary to close the gap between detection and prevention.
Broader Implications for Microsoft Users
If Microsoft
🔍 Fact Checker Results:
✅ Direct Send does not require authentication, allowing spoofed internal-looking emails.
✅ Microsoft’s infrastructure can unintentionally aid delivery of unauthenticated messages.
❌ SPF, DKIM, and DMARC failures are not sufficient alone to block Direct Send-based phishing.
📊 Prediction:
🔮 Expect a surge in similar phishing campaigns leveraging internal routing gaps by late 2025, especially those involving QR code-based lures. Security vendors will likely push updates or advisories addressing Direct Send risks, while Microsoft may be pressured to introduce authentication requirements or usage restrictions. Organizations that delay configuration hardening are likely to become prime targets.
References:
Reported By: cyberpress.org
Extra Source Hub:
https://www.reddit.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
