Microsoft 365 Direct Send Weaponized to Bypass Email Security Defenses

Cybersecurity researchers have uncovered a sophisticated spear phishing campaign that weaponizes Microsoft 365’s Direct Send feature to bypass traditional email security defenses and conduct hyper-personalized credential theft attacks.

The campaign demonstrates an alarming evolution in attack sophistication, combining technical exploitation of legitimate Microsoft services with advanced social engineering techniques designed to disarm even experienced security professionals.

The attack leverages Microsoft 365’s Direct Send functionality to circumvent standard email authentication mechanisms, including SPF, DKIM, and DMARC checks.

By routing malicious emails through victims’ own smart host infrastructure, attackers successfully masquerade their communications as trusted internal traffic while failing basic authentication protocols.

This exploitation allows threat actors to deliver malicious payloads that would typically be blocked by conventional email security solutions.

What makes this campaign particularly dangerous is its dual-vector approach and extreme personalization capabilities.

StrongestLayer analysts identified the attack after their TRACE AI system detected suspicious authentication anomalies and behavioral patterns inconsistent with legitimate communications.

The researchers discovered that attackers were using image-based lures to evade text-based security filters, while simultaneously deploying two distinct payload types designed for maximum impact and stealth.

The campaign employs a sophisticated multi-stage infection mechanism that begins with seemingly innocuous voicemail notifications from trusted services like RingCentral.

These emails contain no analyzable text for traditional scanners, instead using high-fidelity inline images that perfectly mimic legitimate service notifications.

The social engineering component creates urgency by prompting users to open attachments to hear supposedly important voice messages.

Technical Implementation and Payload Analysis

The attack’s technical sophistication becomes apparent through its dual-payload delivery system. The primary vector utilizes malicious HTML files disguised as audio players, implementing a three-stage obfuscation technique.

The payload structure employs an invalid image tag that triggers an onerror event, which then Base64-decodes and executes hidden JavaScript:-

The secondary vector employs malicious SVG files that exploit the fact that many security filters treat SVG files as safe images rather than potentially executable content.

These files contain embedded JavaScript with additional custom encoding layers designed to defeat automated analysis systems. The most concerning aspect of this campaign is its dynamic personalization capability.

The malicious JavaScript doesn’t render generic login pages but instead dynamically fetches corporate logos and branding specific to each victim’s organization, creating perfectly legitimate-looking credential harvesting pages that effectively disarm user suspicion through familiar visual elements.

Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial