Security advisories

Direct Send Abuse Leading to Internal Phishing Attacks

August 6, 2025 | 4 MINS READ

Speak With A Security Expert Now

TALK TO AN EXPERT

THE THREAT

eSentire has observed threat actors actively exploiting Microsoft 365's Direct Send feature to conduct sophisticated phishing campaigns targeting organizations across multiple industries, particularly in the United States but all sectors and locations can be impacted by this attack. Direct Send, a feature originally designed to allow internal devices, like printers, to send emails without authentication, is being manipulated by attackers to send spoofed internal emails without requiring account credentials. Security researchers have observed attackers using PowerShell commands to send malicious emails through organization's smart hosts.

The attack methodology involves sending phishing emails that appear to come from internal sources, often disguised as voicemail or fax notifications, containing PDF attachments with QR codes that lead to credential-harvesting sites. Despite failing SPF, DKIM, and DMARC authentication checks, these emails successfully reach users' inboxes because they are routed through Microsoft's infrastructure and treated as internal traffic. To mitigate this threat, eSentire recommends enabling the "Reject Direct Send" setting in the Exchange Admin Center, implementing strict DMARC policies, enforcing SPF hardfail within Exchange Online Protection, and educating users about QR code phishing (Quishing) attacks. Microsoft acknowledges this security risk and is working on deprecating the feature while providing immediate mitigation options for organizations.

eSentire’s SOC has observed multiple customers impacted by the Direct Send attack in the last two weeks; impacted customers have been notified by the SOC through proper alerting channel.

What we're doing about it

What you should do about it

Additional information

The exploitation of Microsoft 365's Direct Send feature represents a significant security vulnerability where threat actors are bypassing traditional email security controls by abusing the smart host functionality (format: tenantname.mail.protection.outlook.com). Attackers are using PowerShell commands to send spoofed internal emails through this feature, which allowed attackers to deliver unauthenticated messages/emails. The attack methodology involves connecting to Windows Server 2022 hosts via RDP (port 3389), initiating SMTP connections through unsecured third-party email security appliances (ports 8008, 8010, and 8015), and ultimately delivering messages via Direct Send using spoofed internal addresses. These messages successfully bypass SPF, DKIM, and DMARC authentication checks because they're routed through Microsoft's infrastructure and treated as internal traffic.

The phishing campaign's sophistication is evident in its delivery mechanism, where attackers utilize PDF attachments containing QR codes instead of traditional hyperlinks to evade detection. These PDFs are often branded with company logos and masquerade as business communications such as voicemail notifications, wire authorizations, or task reminders. The attack infrastructure presents valid DigiCert SSL certificates and SMTP services supporting AUTH PLAIN LOGIN with STARTTLS, while the sending IPs often originate from unexpected locations, triggering abnormal behavior alerts. The messages consistently fail composite authentication checks (compauth=fail) but still reach users' inbox folders, maintaining their potential for compromise.

For organizations unable to completely disable Direct Send, several technical controls can be implemented. Primary among these is the creation of strict mail flow rules that quarantine suspicious emails based on IP ranges and authentication headers. Organizations can implement controlled inbound connectors using RestrictDomainsToCertificate or RestrictDomainsToIPAddresses parameters, effectively limiting mail flow to authorized sources only. Advanced monitoring can be achieved through Historical Message Trace (supporting 90-day lookback) and Advanced Hunting queries in Microsoft Defender for Office 365 P2, using specific filters to identify unauthorized Direct Send usage (e.g., EmailEvents where EmailDirection "Inbound" and Connectors ""). This layered approach allows organizations to maintain necessary functionality while significantly reducing the attack surface.

Indicators of Compromise (IOCs)
139.28.36[.]230Attacker IP
163.5.112[.]86Attacker IP
163.5.160[.]28Attacker IP
163.5.160[.]119Attacker IP
163.5.160[.]143Attacker IP
163.5.169[.]53Attacker IP
hxxps://voice-e091b.firebaseapp[.]comPhishing URL
hxxps://mv4lh.bsfff[.]esPhishing URL
“Caller Left VM Message * Duration-XXXX for XXXXEmail Subject
Fax-msg mm/dd/yyyy, hh:mm:ss AM/PM (2 Pages) RefID: XXXXEmail Subject
New Missed Fax-msgEmail Subject
New Missed Fax-Msg (2 pages)Email Subject
You have received a new (2 pages) *Fax-Msg* to email@****Email Subject
Fax Received: Attached document for review REFEmail Subject
“Your-to-do-List/MM/DD/YYYY”Email Subject
“Wire-eAuthorization approvalMM/DD/YYYY”Email Subject
“Payment ACH-Wire Authorization”Email Subject
“Daily Reminder: Today’s Tasks – MM/DD/YYYY”Email Subject
“Reminder – To Do – MM/DD/YYYY”Email Subject
“WIRELESSCALLER(XXX)YYY-ZZZZ-MM/DD/YYYY”Email Subject
File name often contains ‘Fax-msg’, ‘Caller left VM Message’ or ‘Listen’Email Attachment
CN=WIN-BUNS25TD77JCN used by attacker-controlled Windows Server 2022 hosts

References:

[1] https://techcommunity.microsoft.com/blog/exchange/what-is-direct-send-and-how-to-secure-it/4439865
[2] https://www.bleepingcomputer.com/news/security/microsoft-365-direct-send-abused-to-send-phishing-as-internal-users/
[3] https://www.varonis.com/blog/direct-send-exploit
[4] https://www.proofpoint.com/us/blog/email-and-cloud-threats/attackers-abuse-m365-for-internal-phishing

View Most Recent Advisories