Microsoft 365’s Direct Send Feature Under Attack: How Cybercriminals Are Bypassing Email Security

Microsoft 365’s Direct Send Feature Under Attack: How Cybercriminals Are Bypassing Email Security

A sophisticated phishing campaign is exploiting a critical vulnerability in Microsoft 365’s Direct Send feature, affecting over 70 organizations worldwide. This novel attack method allows threat actors to impersonate internal users and deliver malicious emails without compromising any accounts, effectively bypassing traditional email security measures.

What is the Microsoft 365 Direct Send Vulnerability?

The Direct Send feature in Microsoft 365’s Exchange Online was designed to allow internal devices like printers and applications to send emails within an organization without requiring authentication. However, this legitimate functionality has become a dangerous security loophole.

How the Attack Works

The vulnerability stems from a critical flaw: complete absence of authentication requirements. Attackers only need two pieces of publicly available information:

• The target organization’s domain name
• Valid recipient email addresses

These details are often easily obtained through social media, company websites, or previous data breaches.

The Attack Campaign: Scale and Timeline

Since May 2025, cybersecurity researchers have tracked a consistent phishing campaign that:

• Targets: Over 70 organizations, primarily US-based companies
• Duration: Active for over two months with sustained activity
• Scope: Multiple industries and geographic locations
• Method: Exploitation of Microsoft 365’s Direct Send smart host functionality

Technical Details: Understanding the Exploit

The Smart Host Vulnerability

Direct Send uses a predictable smart host format: tenantname.mail.protection.outlook.com. The security flaw allows attackers to:

1. Send emails without any login credentials
2. Spoof the “From” address to impersonate any internal user
3. Route messages through Microsoft’s infrastructure
4. Bypass both Microsoft’s filtering and third-party security solutions

Attack Execution Method

Investigators discovered that threat actors use PowerShell commands to execute their attacks:

Send-MailMessage -SmtpServer company-com.mail.protection.outlook.com 
-To joe@company.com -From joe@company.com 
-Subject "New Missed Fax-msg" 
-Body "You have received a call! Click on the link to listen to it. Listen Now" 
-BodyAsHtml

Common Attack Patterns and Indicators

Phishing Email Characteristics

Subject Lines Commonly Used:

• “Caller Left VM Message * Duration-XXXX for XXXX”
• “Fax-msg mm/dd/yyyy, hh:mm:ss AM/PM (2 Pages) RefID: XXXX”
• “New Missed Fax-msg”
• “You have received a new (2 pages) Fax-Msg“
• “Fax Received: Attached document for review REF”

Attachment Patterns:

• File names containing ‘Fax-msg’, ‘Caller left VM Message’, or ‘Listen’
• Malicious links disguised as voice message or fax notifications

Key Detection Indicators

Security teams should monitor for:

• Emails sent from users to themselves
• PowerShell or command-line user agents in message headers
• Unusual IP addresses from VPNs or foreign locations
• Authentication failures in SPF, DKIM, or DMARC for internal domains
• Mismatched tenant IDs in message headers

Indicators of Compromise (IoCs)

IP Addresses

• 139.28.36.230
• Multiple IP addresses within the 139.28.X.X range

Malicious Domains

• hxxps://voice-e091b.firebaseapp[.]com
• hxxps://mv4lh.bsfff[.]es

Geographic Anomalies

• Attacks originating from Ukrainian IP addresses targeting US organizations
• Email activity without corresponding login events

Why This Attack is So Effective

Bypassing Security Controls

The Direct Send exploit is particularly dangerous because:

1. Internal Routing: Emails appear to originate within the organization
2. Trusted Infrastructure: Messages route through Microsoft’s servers
3. Reduced Scrutiny: Internal emails receive less security screening
4. Authentication Bypass: No credentials required for execution
5. Reputation Evasion: Leverages Microsoft’s trusted sender reputation

Low Barrier to Entry

The attack’s simplicity makes it accessible to threat actors with minimal technical skills:

• No account compromise required
• Publicly available information sufficient
• Simple PowerShell commands for execution
• Scalable across multiple organizations

Protection and Mitigation Strategies

Immediate Actions

1. Monitor Email Headers: Look for external IPs in internal email routing
2. Implement Anomaly Detection: Flag emails sent from users to themselves
3. Geographic Monitoring: Alert on emails from unexpected locations
4. Authentication Verification: Check SPF, DKIM, and DMARC results for internal domains

Long-term Security Measures

1. Enhanced Email Filtering: Deploy additional layers beyond Microsoft’s native protection
2. User Education: Train employees to recognize sophisticated phishing attempts
3. Network Segmentation: Limit Direct Send usage to necessary devices only
4. Regular Security Audits: Assess email security configurations periodically

Industry Impact and Response

This vulnerability highlights a critical blind spot in Microsoft 365’s security architecture. Organizations worldwide are reassessing their email security strategies to account for internal routing vulnerabilities that traditional perimeter security cannot address.

Frequently Asked Questions (FAQ)

Q: What is Microsoft 365 Direct Send?

A: Direct Send is a feature in Exchange Online that allows internal devices like printers and applications to send emails within a Microsoft 365 tenant without requiring authentication.

Q: How can attackers exploit Direct Send without compromising accounts?

A: Attackers only need the target organization’s domain name and valid email addresses to send spoofed emails through the predictable smart host format, bypassing authentication entirely.

Q: Which organizations are most at risk?

A: Any organization using Microsoft 365 with Direct Send enabled is potentially vulnerable, though the current campaign primarily targets US-based companies across multiple industries.

Q: How can I detect if my organization is being targeted?

A: Look for emails sent from users to themselves, unusual IP addresses in email headers, PowerShell user agents, and authentication failures for internal domains.

Q: Can traditional email security solutions prevent these attacks?

A: Many traditional solutions may miss these attacks because the emails appear to originate internally and route through Microsoft’s trusted infrastructure.

Q: What should I do if I suspect a Direct Send attack?

A: Immediately analyze email headers for external IPs, check for geographic anomalies, verify authentication results, and implement enhanced monitoring for internal email routing.

Q: Is Microsoft aware of this vulnerability?

A: While this is a known feature behavior, the security implications highlight the need for organizations to implement additional monitoring and controls beyond Microsoft’s native protections.

Q: Can this attack method be used for other malicious purposes beyond phishing?

A: Yes, the same technique could potentially be used for spam distribution, business email compromise attempts, or any scenario where impersonating internal users provides advantage.

How Technijian Can Help

At Technijian, we understand the evolving cybersecurity landscape and the critical importance of protecting your organization from sophisticated attacks like the Microsoft 365 Direct Send exploit. Our comprehensive cybersecurity services can help safeguard your business:

Our Cybersecurity Solutions

Email Security Assessment

• Complete audit of your Microsoft 365 configuration
• Direct Send vulnerability assessment
• Custom security recommendations

Advanced Threat Detection

• 24/7 monitoring for anomalous email patterns
• Real-time alerts for suspicious internal routing
• AI-powered phishing detection

Email Security Enhancement

• Multi-layered email filtering solutions
• Custom authentication protocols
• Automated response systems

Security Awareness Training

• Employee phishing simulation programs
• Cybersecurity best practices education
• Regular security updates and briefings

Incident Response Services

• Rapid threat containment
• Forensic analysis and investigation
• Recovery and remediation support

Compliance and Governance

• Security policy development
• Regulatory compliance assistance
• Risk assessment and management

Why Choose Technijian?

• Expert Team: Certified cybersecurity professionals with extensive Microsoft 365 experience
• Proactive Approach: Stay ahead of emerging threats with cutting-edge detection tools
• 24/7 Support: Round-the-clock monitoring and rapid incident response
• Customized Solutions: Tailored security strategies for your specific business needs
• Proven Track Record: Successfully protecting organizations across multiple industries

Get Started Today

Don’t let your organization become the next victim of sophisticated phishing campaigns. Contact Technijian today for a comprehensive security assessment and learn how we can strengthen your defenses against emerging threats like the Microsoft 365 Direct Send exploit.

Contact Us:

• 📞 Phone: (949)-379-8500
• 📧 Email: sales@technijian.com
• 📍 Orange County Office: 18 Technology Dr, #141 Irvine, CA 92618

Protect your business with Technijian’s expert cybersecurity solutions. Because in today’s digital landscape, security isn’t optional—it’s essential.