Hackers Exploit Microsoft 365’s Direct Send Feature for Internal Phishing Attacks

Threat actors are leveraging Microsoft 365’s Direct Send feature to launch sophisticated phishing campaigns that mimic internal organizational emails, eroding trust and heightening the success rate of social engineering exploits.

This feature, designed for unauthenticated relaying of messages from devices like multifunction printers and legacy applications to internal recipients, allows external attackers to spoof sender addresses without requiring valid credentials.

Proofpoint researchers have documented an ongoing operation where adversaries inject phishing emails via unsecured third-party email security appliances acting as SMTP relays, often hosted on virtual private servers (VPS).

These messages frequently bypass native defenses, appearing in users’ junk folders even when flagged for composite authentication failures, such as SPF, DKIM, or DMARC mismatches.

Campaign Overview and Tactics

The phishing lures are tailored to business contexts, employing pretexts like task reminders, wire transfer authorizations, and voicemail notifications to prompt user engagement.

By exploiting Direct Send, attackers achieve a veneer of legitimacy, as the emails seem to originate from within the target organization’s domain, thereby undermining internal communication integrity and facilitating payload delivery despite security checks.

In the observed delivery mechanism, attackers establish RDP connections on port 3389 to virtual hosts running Windows Server 2022, from which they initiate SMTP sessions to exposed third-party appliances.

These appliances, presenting valid DigiCert SSL certificates and supporting AUTH PLAIN LOGIN with STARTTLS, relay messages to Microsoft 365 tenants using spoofed internal “From” addresses.

Exposed ports such as 8008, 8010, and 8015 on these relays often feature expired or self-signed certificates, creating vulnerabilities that adversaries exploit for injection.

This tactic aligns with a wider pattern of abusing legitimate cloud services to evade detection, as attackers route through trusted infrastructure to mask malicious intent.

Proofpoint’s analysis reveals that even when Microsoft identifies spoofing via failed authentication marked in headers with “compauth=fail” messages still reach end users, amplifying risks to organizational productivity and resilience.

Mitigation Strategies

To counter this threat, organizations must reevaluate their email relay configurations and authentication protocols.

A key step involves auditing whether Direct Send is in use and, if unnecessary, disabling it via PowerShell with the command Set-OrganizationConfig -RejectDirectSend $true.

Additionally, enforcing strict SPF hard fail, DKIM signing, and DMARC reject policies can prevent spoofed deliveries, though implementation requires careful tuning to avoid disrupting legitimate traffic.

Monitoring mail flow rules for unauthenticated relay IPs and inspecting headers for spoofing indicators are essential, complemented by advanced email security solutions that enhance Microsoft’s built-in protections against such evasions.

This campaign underscores a strategic vulnerability in cloud ecosystems, where legitimate features like Direct Send become vectors for high-credibility attacks, potentially leading to data breaches or financial fraud.

As Microsoft 365 adoption grows, CISOs should prioritize secure relay practices, treating unauthenticated sends as inherent risks and integrating robust defenses to safeguard internal trust.

Indicators of Compromises (IOCs) 

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!