Combine AI-driven security operations, multi-signal attack surface coverage and 24/7 Elite Threat Hunters to help you take your security program to the next level.
Get unlimited Incident Response with threat suppression guarantee - anytime, anywhere.
CTEM and advisory programs that identify security gaps and build proactive strategies to address them.
Multi-agent Generative AI system embedded across eSentire’s Security Operations platform to scale human expertise.
Extended Detection andOpen XDR with Agentic AI & machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Customer PortalSee what our SOC sees, review investigations, and see how we are protecting your business.
Platform IntegrationsSeamless integrations and threat investigation across your existing tech stack.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Threat Response Unit (TRU)Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Cyber Resilience TeamExtend your team capabilities and prevent business disruption with expertise from eSentire.
Response and RemediationWe balance automated blocks with rapid human-led investigations to manage threats.
Flexible MDR pricing and packages that fit your unique security requirements.
Entry level foundational MDR coverage
Comprehensive Next Level MDR from eSentire
Next Level MDR with Cyber Risk Advisors to continuously advance your security program
Stop ransomware before it spreads.
Identity ResponseStop identity-based cyberattacks.
Zero Day AttacksDetect and respond to zero-day exploits.
Cybersecurity ComplianceMeet regulatory compliance mandates.
Third-Party RiskDefend third-party and supply chain risk.
Cloud MisconfigurationEnd misconfigurations and policy violations.
Cyber RiskAdopt a risk-based security approach.
Mid-Market SecurityMid-market security essentials to prioritize.
Sensitive Data SecurityProtect your most sensitive data.
Cyber InsuranceMeet insurability requirements with MDR.
Cyber Threat IntelligenceOperationalize cyber threat intelligence.
Security LeadershipBuild a proven security program.
THE THREAT On September 16th, 2025, a large-scale attack against npm was discovered, affecting 187 packages including several from CrowdStrike. The attack, attributed to the same threat…
THE THREAT On September 8th, 2025, a large-scale supply chain attack was confirmed, affecting at least 25 widely used npm packages, collectively downloaded over two billion…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
About Us Leadership CareersWe provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
We offer three flexible MDR pricing packages that can be customized to your unique needs.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
eSentire has observed threat actors actively exploiting Microsoft 365's Direct Send feature to conduct sophisticated phishing campaigns targeting organizations across multiple industries, particularly in the United States but all sectors and locations can be impacted by this attack. Direct Send, a feature originally designed to allow internal devices, like printers, to send emails without authentication, is being manipulated by attackers to send spoofed internal emails without requiring account credentials. Security researchers have observed attackers using PowerShell commands to send malicious emails through organization's smart hosts.
The attack methodology involves sending phishing emails that appear to come from internal sources, often disguised as voicemail or fax notifications, containing PDF attachments with QR codes that lead to credential-harvesting sites. Despite failing SPF, DKIM, and DMARC authentication checks, these emails successfully reach users' inboxes because they are routed through Microsoft's infrastructure and treated as internal traffic. To mitigate this threat, eSentire recommends enabling the "Reject Direct Send" setting in the Exchange Admin Center, implementing strict DMARC policies, enforcing SPF hardfail within Exchange Online Protection, and educating users about QR code phishing (Quishing) attacks. Microsoft acknowledges this security risk and is working on deprecating the feature while providing immediate mitigation options for organizations.
eSentire’s SOC has observed multiple customers impacted by the Direct Send attack in the last two weeks; impacted customers have been notified by the SOC through proper alerting channel.
The exploitation of Microsoft 365's Direct Send feature represents a significant security vulnerability where threat actors are bypassing traditional email security controls by abusing the smart host functionality (format: tenantname.mail.protection.outlook.com). Attackers are using PowerShell commands to send spoofed internal emails through this feature, which allowed attackers to deliver unauthenticated messages/emails. The attack methodology involves connecting to Windows Server 2022 hosts via RDP (port 3389), initiating SMTP connections through unsecured third-party email security appliances (ports 8008, 8010, and 8015), and ultimately delivering messages via Direct Send using spoofed internal addresses. These messages successfully bypass SPF, DKIM, and DMARC authentication checks because they're routed through Microsoft's infrastructure and treated as internal traffic.
The phishing campaign's sophistication is evident in its delivery mechanism, where attackers utilize PDF attachments containing QR codes instead of traditional hyperlinks to evade detection. These PDFs are often branded with company logos and masquerade as business communications such as voicemail notifications, wire authorizations, or task reminders. The attack infrastructure presents valid DigiCert SSL certificates and SMTP services supporting AUTH PLAIN LOGIN with STARTTLS, while the sending IPs often originate from unexpected locations, triggering abnormal behavior alerts. The messages consistently fail composite authentication checks (compauth=fail) but still reach users' inbox folders, maintaining their potential for compromise.
For organizations unable to completely disable Direct Send, several technical controls can be implemented. Primary among these is the creation of strict mail flow rules that quarantine suspicious emails based on IP ranges and authentication headers. Organizations can implement controlled inbound connectors using RestrictDomainsToCertificate or RestrictDomainsToIPAddresses parameters, effectively limiting mail flow to authorized sources only. Advanced monitoring can be achieved through Historical Message Trace (supporting 90-day lookback) and Advanced Hunting queries in Microsoft Defender for Office 365 P2, using specific filters to identify unauthorized Direct Send usage (e.g., EmailEvents where EmailDirection "Inbound" and Connectors ""). This layered approach allows organizations to maintain necessary functionality while significantly reducing the attack surface.
| Indicators of Compromise (IOCs) | |
| 139.28.36[.]230 | Attacker IP |
| 163.5.112[.]86 | Attacker IP |
| 163.5.160[.]28 | Attacker IP |
| 163.5.160[.]119 | Attacker IP |
| 163.5.160[.]143 | Attacker IP |
| 163.5.169[.]53 | Attacker IP |
| hxxps://voice-e091b.firebaseapp[.]com | Phishing URL |
| hxxps://mv4lh.bsfff[.]es | Phishing URL |
| “Caller Left VM Message * Duration-XXXX for XXXX | Email Subject |
| Fax-msg mm/dd/yyyy, hh:mm:ss AM/PM (2 Pages) RefID: XXXX | Email Subject |
| New Missed Fax-msg | Email Subject |
| New Missed Fax-Msg (2 pages) | Email Subject |
| You have received a new (2 pages) *Fax-Msg* to email@**** | Email Subject |
| Fax Received: Attached document for review REF | Email Subject |
| “Your-to-do-List/MM/DD/YYYY” | Email Subject |
| “Wire-eAuthorization approvalMM/DD/YYYY” | Email Subject |
| “Payment ACH-Wire Authorization” | Email Subject |
| “Daily Reminder: Today’s Tasks – MM/DD/YYYY” | Email Subject |
| “Reminder – To Do – MM/DD/YYYY” | Email Subject |
| “WIRELESSCALLER(XXX)YYY-ZZZZ-MM/DD/YYYY” | Email Subject |
| File name often contains ‘Fax-msg’, ‘Caller left VM Message’ or ‘Listen’ | Email Attachment |
| CN=WIN-BUNS25TD77J | CN used by attacker-controlled Windows Server 2022 hosts |
References:
[1] https://techcommunity.microsoft.com/blog/exchange/what-is-direct-send-and-how-to-secure-it/4439865
[2] https://www.bleepingcomputer.com/news/security/microsoft-365-direct-send-abused-to-send-phishing-as-internal-users/
[3] https://www.varonis.com/blog/direct-send-exploit
[4] https://www.proofpoint.com/us/blog/email-and-cloud-threats/attackers-abuse-m365-for-internal-phishing