Listen to this Post
Introduction: The Rising Threat of Phishing Using Direct Send
A stealthy phishing campaign is exploiting a lesser-known Microsoft 365 feature called “Direct Send” to bypass traditional email security measures and steal corporate credentials. Originally designed to help devices like printers and scanners send emails on behalf of a company without requiring user authentication, this feature has become a loophole for attackers to send seemingly legitimate emails that evade filters. The widespread abuse of this functionality has put hundreds of organizations, mainly in the United States, at risk. Understanding this vulnerability and how attackers exploit it is crucial for companies to safeguard their email systems and prevent costly breaches.
Overview of the Phishing Campaign Exploiting Direct Send
Microsoft 365’s Direct Send feature allows on-premises devices or applications to send emails through an organization’s smart host as if the emails originated internally. This is useful for devices such as printers and scanners that need to send messages on behalf of the company. However, Direct Send does not require authentication, creating a significant security gap. Attackers leverage this to send phishing emails that appear to be sent from within the company’s domain, effectively bypassing key email security protocols like SPF, DKIM, and DMARC.
The phishing campaign discovered by the security team at Varonis targets over 70 organizations across various industries, with the majority located in the US. The most affected sectors include Financial Services, Construction, Engineering, Manufacturing, Healthcare, and Insurance. The attackers use PowerShell commands to exploit the company’s own smart host and send emails that seem internal, despite originating from suspicious IP addresses, including some from Ukraine.
The emails often masquerade as voicemail or fax notifications and include PDF attachments branded with the company’s logos to boost authenticity. Uniquely, these PDFs do not contain clickable links but instead show QR codes. When scanned, the QR codes lead victims to phishing websites with fake Microsoft login pages designed to steal credentials.
Microsoft acknowledges the risks of the Direct Send feature and recommends only advanced users with proper configurations use it. To combat these phishing campaigns, Microsoft introduced a new “Reject Direct Send” setting in Exchange Online, allowing companies to block such unauthorized emails. Alongside this, Varonis recommends enforcing strict DMARC policies, tightening SPF checks, activating anti-spoofing protections, and training employees to identify QR code phishing tactics.
What Undercode Say: In-Depth Analysis of the Direct Send Phishing Threat
The abuse of Microsoft 365’s Direct Send function reveals a critical tension between convenience and security in modern enterprise environments. Direct Send was intended to simplify internal device communication, but its lack of authentication requirements makes it a double-edged sword. Attackers taking advantage of this feature highlight how overlooked technical nuances can become major vulnerabilities when paired with sophisticated social engineering tactics.
One of the campaign’s most insidious aspects is the use of QR codes inside PDF attachments instead of traditional phishing links. This method circumvents typical URL scanning by email security gateways, exploiting a blind spot where the threat moves from email to smartphone interaction. This novel vector emphasizes the evolving sophistication of attackers who blend digital and physical user behaviors.
The campaign’s focus on industries with high-value data, like financial and healthcare sectors, indicates a strategic choice aiming for maximum impact. Phishing emails mimicking internal communications exploit inherent trust within companies—employees tend to be less suspicious of emails appearing to come from colleagues or internal systems, especially those with branded PDFs.
From a defensive standpoint, this situation underscores the urgent need for organizations to audit and manage every feature they activate in cloud services. Direct Send’s presence in a tenant without strict controls is a ticking time bomb. Microsoft’s advice to restrict this feature to advanced users willing to shoulder admin responsibilities is a critical point often ignored in many enterprises.
Furthermore, the campaign highlights gaps in common email authentication frameworks like SPF and DMARC. Since the emails are routed through the organization’s smart host, they bypass many traditional filters despite failing authentication checks. This reveals an inherent limitation in current email security paradigms, signaling the need for complementary detection methods focusing on behavior and internal traffic analysis.
Companies must therefore not only tighten technical controls but also invest heavily in employee awareness, especially about emerging phishing techniques such as QR code scans. Empowering staff with knowledge about the dangers of scanning unknown QR codes could be as crucial as implementing technical fixes.
Microsoft’s rollout of the Reject Direct Send setting is a welcome development, but its effectiveness depends on widespread adoption and proper configuration. Enterprises should treat this feature as an essential part of their email defense strategy rather than a niche option.
In conclusion, the Direct Send phishing campaign is a wake-up call to revisit cloud email security configurations and employee training. It exposes how even small, overlooked features can be weaponized by threat actors and how defense requires a multi-layered approach combining technology, policy, and user vigilance.
🔍 Fact Checker Results
✅ The phishing campaign abuses the Direct Send feature in Microsoft 365, confirmed by Varonis.
✅ Microsoft has introduced the “Reject Direct Send” setting to mitigate this attack vector.
❌ Traditional SPF, DKIM, and DMARC filters alone do not fully protect against this method of attack.
📊 Prediction: The Future of Email Security and Direct Send Exploits
As phishing tactics evolve, attackers will continue to exploit overlooked features like Direct Send to bypass security controls. The growing adoption of QR code phishing highlights a shift towards blending digital and real-world attack surfaces, requiring companies to expand their threat detection beyond traditional email filtering.
Microsoft’s move to deprecate or tightly control Direct Send suggests that cloud providers will increasingly scrutinize and restrict features that pose security risks, pushing organizations to adopt more rigorous email governance practices. We predict a surge in tools designed to detect anomalous email behavior within internal networks, leveraging AI-driven analytics and real-time threat intelligence.
Employee education will become indispensable, particularly in recognizing non-traditional phishing methods such as QR codes or voice message scams. Enterprises that fail to adapt their security posture to this reality will face rising risks of credential theft and subsequent breaches.
In essence, the battle between convenience and security will continue to shape email security strategies, but with improved awareness, tighter controls, and smarter detection tools, organizations can reclaim control over their email ecosystems and stay one step ahead of attackers.
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub:
https://www.digitaltrends.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
