A new phishing campaign is exploiting a little-known feature of Microsoft 365 called “Direct Send” to circumvent email security and steal login credentials.
So what is “direct send”? Basically, it's a feature that allows devices such as printers, scanners, or even some applications to send emails using the company's domain, as if they were legitimate messages. This is done through the Microsoft 365 client's server (or “smart host”) and was designed to facilitate the sending of internal messages without too many complications.
The problem is that this feature does not require authentication. That means that someone from outside, if they know how to take advantage of it, can send emails that look completely real, as if they came from a colleague or the IT team. So, while useful, it is also an open door for attackers if not configured very carefully.
In fact, Microsoft acknowledges that this is a risky feature and recommends that it only be used by customers with advanced knowledge, especially those with experience managing mail servers.
“We recommend direct sending only for advanced customers willing to take on the responsibilities of email server administrators” Microsoft explains.
In other words, if you are going to use this feature, you need to know what you are doing: how to configure it correctly and follow best practices so that it does not become a security hole. If it is misconfigured, not only could you be left without email, but you could also expose your company to attacks.
Microsoft has already shared ways to disable this feature (we explain how later in the article) and is also working on a solution that will allow you to stop relying on this method entirely.
How does Microsoft 365 direct mail abuse work?
It is estimated that more than 70 companies have been targeted so far, with the vast majority (around 95%) located in the United States.
Although the victims belong to different industries, the campaign seems to be particularly focused on the financial services, construction, engineering, manufacturing, healthcare, and insurance sectors. In fact, the financial sector is the most affected so far, followed by the industrial and healthcare sectors.
What is worrying about this attack is that it is based on a very subtle technique: attackers use PowerShell to send emails that appear to be internal, using the mail server (known as a smart host) of a legitimate company. The result is an email that, at first glance, appears to come from someone within the organization... but in reality has been sent from an external IP address.
This type of attack exploits the weaknesses of direct sending, a feature that (as we have already seen) does not require authentication and can be used to make external emails appear completely trustworthy to the recipient.
Here is an example of how PowerShell can be used to send emails through this feature:
Send‑MailMessage -SmtpServer company‑com.mail.protection.outlook.com -To joe@company.com -From joe@company.com -Subject “New Missed Fax‑msg” -Body “You have received a call! Click on the link to listen to it. Listen Now” -BodyAsHtml
This type of attack works because direct sending, when used with the Microsoft 365 smart host, does not require authentication. In other words, the system automatically trusts the sender, treating them as if they were part of the organization. This allows attackers to bypass security measures such as SPF, DKIM, DMARC, and other filters that normally help identify fake emails.
To deceive victims, the emails masquerade as voice or fax notifications, something that many people often receive in office environments. The subjects often say things like: “Voice message left by caller” or something similar. And the attachments come with names that sound credible, such as ‘Fax-msg’, ‘VM message’, ‘Play_VM-Now’ or simply ‘Listen’.
The goal, of course, is to make it look like something normal and everyday so that people open it without thinking twice.
Example of a phishing email from the campaign (Source: Varonis)
The curious thing about this campaign is that, unlike other phishing attacks, the PDF files do not contain direct links to fake pages.
Instead, the documents instruct the recipient to scan a QR code with their cell phone in order to “listen” to the supposed voice message. To make it more convincing, the PDFs feature the company logo, which gives them a touch of legitimacy that causes many to let their guard down without suspecting anything unusual.
PDF document with QR codes (Source: BleepingComputer)
When someone scans the QR code and opens the link, it takes them to a fake page that mimics the Microsoft login. Everything looks normal, but it is actually a phishing site designed to steal the employee's credentials.
In one of the cases observed, a company detected suspicious activity and discovered that the attackers were using PowerShell to send emails through the smart host, this time from an IP located in Ukraine (139.28.36[.]230) and other similar ones in the same range.
What is interesting (and worrying) is that these emails did not pass the SPF and DMARC filters, which normally help detect whether an email is legitimate. However, as they were sent through the Microsoft 365 smart host, the system treated them as trusted internal messages, so they managed to get through.
In another case, an email appeared to come from an internal company address. It was also sent through the smart host, and despite failing all validations (SPF, DKIM, and DMARC), it still reached the recipient's inbox. That particular message originated from IP 51.89.86[.]105.
In addition, other indicators of compromise (IoC) were identified, such as the malicious domains used in this campaign, which could help other companies detect and stop these attacks before they cause damage.
Read more: Why are we still falling for phishing attacks in the middle of 2025?
How can you protect yourself from direct delivery phishing attacks?
To reduce the risk of this type of attack, we recommend enabling a new option called “Reject Direct Delivery” in the Exchange Administration Center. This setting was released by Microsoft in April 2025, specifically to help block emails sent using this method when they are not needed.
Previously, Microsoft suggested using SPF in soft-fail mode (i.e., not completely blocking emails that fail validation) to prevent legitimate emails from being caught by routing errors. The problem is that this also opened the door for attackers to use Direct Send without being easily blocked.
That's why they've now created this new option: “We know that SPF helps protect against spoofing, but we also understand that a strict SPF failure can block valid emails. Since many customers don't need to use Direct Send, we developed this option to allow them to block it completely,” Microsoft explained when launching the feature in public preview.
In addition to enabling this new setting, the following is also recommended:
-
Apply a stricter DMARC policy, with the value p=reject, so that emails that do not pass verification are blocked directly.
-
Flag or quarantine internal emails that are not authenticated to prevent fake messages from slipping through.
-
Enforce a “hardfail” in SPF within Exchange Online Protection, which prevents the delivery of emails that do not pass validation.
-
Enable anti-spoofing policies, which help identify impersonation attempts within the organization.
-
Train staff, especially on new tricks such as QR codes that lead to fake pages. Teaching them to think twice before scanning something unknown is more useful than it seems.
