Direct Send Abuse Leading to Internal Phishing Attacks

THE THREAT

eSentire has observed threat actors actively exploiting Microsoft 365's Direct Send feature to conduct sophisticated phishing campaigns targeting organizations across multiple industries, particularly in the United States but all sectors and locations can be impacted by this attack. Direct Send, a feature originally designed to allow internal devices, like printers, to send emails without authentication, is being manipulated by attackers to send spoofed internal emails without requiring account credentials. Security researchers have observed attackers using PowerShell commands to send malicious emails through organization's smart hosts.

The attack methodology involves sending phishing emails that appear to come from internal sources, often disguised as voicemail or fax notifications, containing PDF attachments with QR codes that lead to credential-harvesting sites. Despite failing SPF, DKIM, and DMARC authentication checks, these emails successfully reach users' inboxes because they are routed through Microsoft's infrastructure and treated as internal traffic. To mitigate this threat, eSentire recommends enabling the "Reject Direct Send" setting in the Exchange Admin Center, implementing strict DMARC policies, enforcing SPF hardfail within Exchange Online Protection, and educating users about QR code phishing (Quishing) attacks. Microsoft acknowledges this security risk and is working on deprecating the feature while providing immediate mitigation options for organizations.

eSentire’s SOC has observed multiple customers impacted by the Direct Send attack in the last two weeks; impacted customers have been notified by the SOC through proper alerting channel.

What we're doing about it

• eSentire Threat Response Unit (TRU) has developed detections in MDR for Log to detect potential Direct Send abuse
• eSentire TRU is continually tracking this topic for further information

What you should do about it

• Perform a business impact analysis to determine if your organization requires the use of the "Direct Send" feature. If possible, disable direct send by enabling the "Reject Direct Send" setting in the Microsoft Exchange Admin Center
  • Set-OrganizationConfig -RejectDirectSend $true
  • If Direct Send use is required, enable transport rules to quarantine (rather than reject) suspicious emails
  • Set exceptions for legitimate sources including:
    • Approved MX record IPs
    • On-premises IPs
    • Authorized third-party IPs
    • Internal authentication headers
  • Implement Controlled Inbound Connectors
    • Create specific inbound connectors for legitimate traffic
    • Use domain and IP restrictions
    • Only allow mail flow through authorized connectors
• Implement strict DMARC policy (p=reject)
• Enforce "SPF hardfail" within Exchange Online Protection (EOP)
• Enable Anti-Spoofing policies
• Enforce Multi-Factor Authentication (MFA) on all users
• Enforce static IP addresses in the SPF record if possible
• Flag unauthenticated internal emails for review or quarantine
• Ensure your email security logs are integrated with eSentire MDR for Log for enhanced monitoring

Additional information

The exploitation of Microsoft 365's Direct Send feature represents a significant security vulnerability where threat actors are bypassing traditional email security controls by abusing the smart host functionality (format: tenantname.mail.protection.outlook.com). Attackers are using PowerShell commands to send spoofed internal emails through this feature, which allowed attackers to deliver unauthenticated messages/emails. The attack methodology involves connecting to Windows Server 2022 hosts via RDP (port 3389), initiating SMTP connections through unsecured third-party email security appliances (ports 8008, 8010, and 8015), and ultimately delivering messages via Direct Send using spoofed internal addresses. These messages successfully bypass SPF, DKIM, and DMARC authentication checks because they're routed through Microsoft's infrastructure and treated as internal traffic.

The phishing campaign's sophistication is evident in its delivery mechanism, where attackers utilize PDF attachments containing QR codes instead of traditional hyperlinks to evade detection. These PDFs are often branded with company logos and masquerade as business communications such as voicemail notifications, wire authorizations, or task reminders. The attack infrastructure presents valid DigiCert SSL certificates and SMTP services supporting AUTH PLAIN LOGIN with STARTTLS, while the sending IPs often originate from unexpected locations, triggering abnormal behavior alerts. The messages consistently fail composite authentication checks (compauth=fail) but still reach users' inbox folders, maintaining their potential for compromise.

For organizations unable to completely disable Direct Send, several technical controls can be implemented. Primary among these is the creation of strict mail flow rules that quarantine suspicious emails based on IP ranges and authentication headers. Organizations can implement controlled inbound connectors using RestrictDomainsToCertificate or RestrictDomainsToIPAddresses parameters, effectively limiting mail flow to authorized sources only. Advanced monitoring can be achieved through Historical Message Trace (supporting 90-day lookback) and Advanced Hunting queries in Microsoft Defender for Office 365 P2, using specific filters to identify unauthorized Direct Send usage (e.g., EmailEvents where EmailDirection "Inbound" and Connectors ""). This layered approach allows organizations to maintain necessary functionality while significantly reducing the attack surface.

References:

[1] https://techcommunity.microsoft.com/blog/exchange/what-is-direct-send-and-how-to-secure-it/4439865
[2] https://www.bleepingcomputer.com/news/security/microsoft-365-direct-send-abused-to-send-phishing-as-internal-users/
[3] https://www.varonis.com/blog/direct-send-exploit
[4] https://www.proofpoint.com/us/blog/email-and-cloud-threats/attackers-abuse-m365-for-internal-phishing