Confusion reigns as phishers abuse Exchange Online Direct Send

An email feature for Microsoft’s Exchange Online that allows unauthenticated message submissions for mail deliveries is causing ongoing customer concern and confusion as attackers abuse it for targeted phishing.

Microsoft calls it Direct Send – “used for sending emails directly to your mailboxes from a domain you own without any user or on-premises connector authentication.”

“Direct Send is a method of sending emails to yourself when other options are not viable,” the company added.

The feature is on by default for all Microsoft 365 tenants, and is a legitimate feature aimed at allowing internal messages from sources that do have email servers to send them.

This could be, for example, networked printers and business applications that need to reach users who are in the same domain.

Phishers have quickly cottoned on that they can use Direct Send to bypass properly configured email validation and authentication methods such as Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM) and Domain Based Message Authenticaiton, Reporting and Conformance (DMARC).

By sending emails directly to an organisation’s Exchange Online public endpoint, which is in the form of domainname-tld.mail.protection.outlook.com, and setting the organisation’s own domain in the “From:” field, malicious messages appear to be from internal users when in fact they’re from external sources.

Security vendor Arctic Wolf has tracked what it says is a widespread phishing campaign targeting multiple organisations by abusing Microsoft 365’s Direct Send feature, since middle of July this year.

Attackers have sent spoofed emails that look like internal communications such as voice mail notifications that contain PDF files embedded with phishing QR codes, Arctic Wolf said.

Similarily, Barracuda issued a recent security advisory on Direct Send, advising users to add Internet Protocol (IP) address restrictions and routing controls to stop phishing payloads being directly delivered to inboxes.

In response to user concerns and confusion, Microsoft’s Exchange team posted an explainer on Direct Send, and how to secure the feature.

After feedback however, the Exchange team removed what it initially wrote “as it has proven more confusing than we intended.” 

The Exchange Team has since written an updated blog, attempting to answer questions about “scenarios that are not actually Direct Send such as senders being able to ignore a domain’s MX [mail exchanger] record and directly to an Exchange Online tenant.”

A number of comments posted in response to the Microsoft blog suggest that administrators remain confused over the Direct Send terminology, and see the feature as a significant security vulnerability that’s turned on by default.

One user said suggested disabling the capability “by default instead of exposing every M365 tenant to drive-by-phishing attacks.” 

It is possible to reject Direct Send messages, but this risks breaking legitimate services unless specific connectors are created for these.