In the ever-evolving landscape of cybersecurity, even the most robust defenses can be undermined by threats that exploit legitimate features in unexpected ways. Today, we’re exposing a critical vulnerability that’s been actively exploited since May 2025,one that demonstrates why staying informed about emerging threats is just as important as having the right security tools and team in place.
The Microsoft 365 Direct Send Exploitation: A Wake-Up Call
Security researchers have uncovered a sophisticated phishing campaign that leverages Microsoft 365’s Direct Send feature to bypass traditional email security filters. This isn’t a software bug or unpatched vulnerability, it’s the malicious abuse of a legitimate Microsoft 365 feature that’s enabled by default in every tenant.
What makes this particularly alarming? The campaign has already targeted more than 70 organizations across all industries, with 95% of the victims based in the United States, according to research from Varonis.
How the Attack Actually Works
Direct Send was designed with good intentions. It’s a feature in Microsoft 365 that allows devices and apps to relay messages to Microsoft tenants without authentication if the recipients are inside the organization. Think printers sending scan notifications or applications sending alerts, all legitimate business functions.
But here’s where it gets dangerous: Direct Send is a known security risk, as it doesn’t require any authentication, allowing remote users to send internal‑looking emails from the company’s domain.
The Attack Process Revealed
Attackers have weaponized this feature through a surprisingly simple process:
- No Authentication Required: Requires no credentials or tokens, only knowledge of the target domain and valid recipient addresses
- Spoofing Internal Communications: Using publicly available information, attackers can send emails that appear to come from CEO@yourcompany.com to any employee, complete with convincing phishing content
- Bypassing Security Controls: This tactic allows attackers to send malicious payloads to Microsoft 365 users with increased credibility, often resulting in successful delivery despite failed authentication checks
The Current Threat Landscape: Real Numbers, Real Impact
The statistics from security researchers paint a concerning picture:
Campaign Scale and Timeline: Varonis says the campaign started in May 2025, with consistent activity over the past two months.
Attack Methods: In one case seen by Varonis, the threat actors used PowerShell to send emails through the smart host from a Ukrainian IP address, with emails crafted to resemble voicemail notifications complete with PDF attachments containing QR codes.
Why Even Premium Security Solutions Are Falling Short
Here’s the sobering reality: this technique effectively circumvents perimeter security solutions by routing malicious emails through Microsoft 365’s trusted infrastructure. Organizations with millions invested in security infrastructure have fallen victim because:
The Blind Spot: This represents a critical gap in email security defenses by bypassing external security filters that scan inbound mail from external sources.
Multiple Vendors Affected: Security researchers from Proofpoint, Mimecast, and Arctic Wolf have all documented campaigns exploiting this vulnerability.
The Solution: Microsoft’s Response and Your Action Plan
Fortunately, there is a solution. Microsoft introduced the “Reject Direct Send” feature in April 2025. Here’s what you need to know:
Immediate Steps for Direct Send Protection
- Enable the RejectDirectSend Feature
The PowerShell command to implement this protection is straightforward:
Connect-ExchangeOnlineSet-OrganizationConfig -RejectDirectSend $true
Important Details:
- Editing the setting requires an administrator with the role “Organization Configuration” assigned
- The change should propagate out to our entire service within 30 minutes
- Verify the Configuration
Use this command to check your current status:
Get-OrganizationConfig | Select-Object Identity, RejectDirectSend
- Monitor for Blocked Messages
Beyond the Quick Fix: Comprehensive Protection
DMARC Implementation: Varonis also recommends implementing a strict DMARC policy (p=reject)
User Education: Training employees to spot QR phishing attempts is crucial, especially since many of these attacks use “quishing” (QR code phishing) tactics.
SPF Hardening: Enforcing SPF hardfail within Exchange Online Protection provides additional layers of protection.
The Broader Lesson: Configuration Security Matters
This Direct Send vulnerability perfectly illustrates a fundamental truth in cybersecurity: technology alone cannot protect you from threats you don’t know exist. Microsoft recommends that only advanced customers utilize the feature, as its safety depends on whether Microsoft 365 is configured correctly.
Why This Matters for Your Organization
Business Impact Considerations: Using this feature may break legitimate business functions, so Microsoft urges administrators to use caution when enabling the feature. Before implementing the block, organizations should:
- Audit Current Usage: Identify any legitimate Direct Send requirements
- Test Implementation: Deploy in a test environment first
- Configure Connectors: Unless Direct Send is re-enabled again, any messages that hit this error will need a partner connector created to authenticate their source as an approved sender
The Ongoing Threat: Why Vigilance Is Key
The cybersecurity community continues to monitor this threat vector closely:
- Arctic Wolf has recently observed a widespread phishing campaign targeting multiple organizations by abusing Microsoft 365’s Direct Send feature
- Barracuda security analysts recently detected a phishing campaign that leverages the Microsoft 365 Direct Send feature to bypass email security features
- Multiple security vendors report that the technique has gained traction as it effectively bypasses perimeter security solutions and leverages the inherent trust users place in internal communications
Take Action Now: Your Security Checklist
Don’t wait for an attack to hit your organization. Here’s your immediate action plan:
☑️ Immediate Actions (Next 24 Hours):
- Audit your Microsoft 365 tenant for Direct Send usage
- Enable RejectDirectSend if not required for business operations
- Review SPF, DKIM, and DMARC configurations
☑️ Short-Term Actions (Next Week):
- Implement monitoring for anomalous internal email patterns
- Update user security awareness training to include internal spoofing scenarios
- Test email functionality to ensure legitimate communications aren’t blocked
☑️ Long-Term Actions (Ongoing):
- Regular security configuration reviews
- Stay informed about emerging cloud security threats
- Maintain defense-in-depth strategies
The Bottom Line
The Microsoft 365 Direct Send vulnerability serves as a stark reminder that in our cloud-first world, security isn’t just about the tools you deploy, it’s about understanding how those tools can be exploited and staying ahead of emerging threats.
As one security expert noted: “Direct Send is a powerful feature, but in the wrong hands it becomes a dangerous attack vector. If you’re not actively monitoring spoofed internal emails or haven’t enabled these protections, now is the time. Don’t assume internal means safe.”
The good news? Now that you know about this threat, you can take action to protect your organization. The question isn’t whether attackers will continue to evolve their tactics, it’s whether you’ll stay one step ahead of them.
Sources and References
Proofpoint – Attackers Exploit M365 for Internal Phishing
Varonis – Ongoing Campaign Abuses Microsoft 365’s Direct Send
Mimecast – Microsoft 365 Direct Send Abuse
BleepingComputer – Microsoft 365 ‘Direct Send’ abused to send phishing
Microsoft Community – Introducing more control over Direct Send
Barracuda – Microsoft Direct Send phishing attacks explained
