Hackers Abuse Microsoft 365 Direct Send to Deliver Internal Phishing Emails
A new Proofpoint report reveals how attackers are using Microsoft 365’s Direct Send and unsecured SMTP relays to send internal-looking phishing emails.
The latest research from cybersecurity firm Proofpoint reveals a clever phishing campaign that uses a legitimate Microsoft 365 feature to trick people into opening malicious emails. The attack, reportedly, sends messages that appear to be from inside a company, making them look highly trustworthy to employees.
Proofpoint researchers observed that attackers are taking advantage of a setting in Microsoft 365 called Direct Send. This feature is intended for things like office printers to send faxes and scans directly to an email inbox without a password. However, hackers are misusing it to send fake emails that seem to come from within an organization. This allows them to bypass many of the usual security checks.
How The Attack Works
The malicious campaign uses a sophisticated chain to deliver its payload. As illustrated in a flow chart below, a threat actor first connects to a computer server running Windows Server 2022. From there, they send an email through third-party email security appliances, which act as SMTP relays, a service that forwards emails from one server to another, to forward the messages. The emails are designed to appear legitimate, and the sending infrastructure even present valid DigiCert SSL certificates to seem trustworthy.
However, the appliances themselves were left unsecured, with specific communication ports (8008, 8010, and 8015) exposed. These ports were protected only by expired or self-signed certificates, making them vulnerable.
The message is designed to appear as if it was sent by a coworker, with a spoofed or fake “From” address. These emails often have a business theme, with titles like “task reminders,” “wire authorizations,” and “voicemails” to entice the user to click. Even though some of these messages are flagged by Microsoft’s internal security as a potential spoof, they are still delivered to a user’s junk folder, leaving them vulnerable to the attack.
Protecting Your Organization
Proofpoint’s report highlights that this type of attack is part of a growing trend where cybercriminals abuse trusted cloud services to launch their schemes. As researchers state in the report, “The abuse of Microsoft 365’s Direct Send feature is not just a technical flaw. It’s a strategic risk to an organization’s trust and reputation.”
This makes it crucial for companies to re-evaluate their security settings and configurations. Researchers suggest auditing their email systems and enforcing stricter email authentication to block these spoofed messages. Also, disabling the Direct Send feature if an organization does not need it is recommended.
