Exploitation of Microsoft 365 Direct Send to Deliver Phishing Emails as Internal Users
A sophisticated phishing campaign targeting over 70 organizations, predominantly in the US, has been uncovered by Varonis’ Managed Data Detection and Response (MDDR) Forensics team.
This campaign, active since May 2025, exploits a lesser-known feature of Microsoft 365 called Direct Send, which allows devices and applications within a tenant to send emails without authentication.
Designed for internal use such as enabling printers to send notifications Direct Send has been weaponized by threat actors to spoof internal users and deliver phishing emails without ever compromising an account.
Unveiling a Novel Phishing Campaign
By leveraging the smart host format (e.g., tenantname.mail.protection.outlook.com), attackers can send messages that appear to originate from within the organization, bypassing traditional email security controls like Microsoft’s filtering mechanisms and third-party solutions that rely on sender reputation or external routing patterns.
The mechanics of this attack are alarmingly simple yet effective. Attackers use publicly available information, such as predictable smart host addresses and internal email formats often scraped from social media or past breaches, to craft spoofed emails.
Using tools like PowerShell, they send messages via the smart host to internal recipients, with the “From” address forged to mimic a legitimate internal user.
Since no authentication is required and the email is routed through Microsoft’s infrastructure, it is often treated as internal-to-internal traffic, evading scrutiny.
Technical Breakdown of the Attack Vector
Varonis’ forensic analysis revealed real-world examples, including emails mimicking voicemail notifications with PDF attachments containing QR codes that redirect to phishing sites designed to harvest Microsoft 365 credentials.
Header analysis further confirmed the exploitation, showing external IP origins (e.g., 139.28.36.230), failed SPF and DMARC checks, and a lack of DKIM signatures, yet the messages were still delivered internally.
This campaign’s reliance on abnormal geolocations, such as Ukrainian IP addresses, and scripting behavior like PowerShell user agents, underscores the stealth and technical prowess of the attack, making detection challenging without deep header and behavioral analysis.
To mitigate this threat, organizations must act swiftly by enabling “Reject Direct Send” in the Exchange Admin Center, implementing strict DMARC policies (p=reject), and enforcing SPF hardfail within Exchange Online Protection (EOP).
Additional measures include flagging unauthenticated internal emails for review, using anti-spoofing policies, and educating users on risks like QR code-based phishing (quishing).
Microsoft recommends enforcing static IP addresses in SPF records to curb abuse, while multi-factor authentication (MFA) and Conditional Access Policies provide a safety net if credentials are stolen.
Direct Send, while a powerful feature for legitimate internal use, becomes a dangerous vector when unprotected, emphasizing the need for proactive monitoring and robust security configurations to prevent spoofed internal emails from slipping through the cracks.
Indicators of Compromise (IOCs)
| Category | Details |
|---|---|
| IP Addresses | 139.28.36.230, Multiple IPs in 139.28.X.X range |
| Domains | hxxps://voice-e091b.firebaseapp[.]com, hxxps://mv4lh.bsfff[.]es |
| Email Subject Lines | “Caller Left VM Message”, “New Missed Fax-msg”, “Fax Received: Attached document for review REF” |
| Email Attachments | Filenames often include ‘Fax-msg’, ‘Caller left VM Message’, or ‘Listen’ |
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates
Source link
