Microsoft 365 Direct Send has been abused in a phishing campaign to deliver spoofed messages that appear to originate from within the victim’s organization, Varonis warns.
An Exchange Online feature, Direct Send allows applications and devices to send emails within the tenant. It relies on a smart host and does not require authentication for email generation.
According to Varonis, threat actors have discovered a way to abuse the feature’s lack of authentication to send spoofed emails that bypass security controls, all without having to compromise an account within the target organization.
Because smart host addresses follow a predictable pattern, the attacker only needs to identify the organization’s domain and a valid recipient, and then abuse the Direct Send setup to send phishing emails, “without ever logging in or touching the tenant”, Varonis says.
In the phishing campaign observed by the cybersecurity firm, because the smart hosts were accepting emails from external sources, threat actors were seen employing PowerShell to send the spoofed emails.
“Because the email is routed through Microsoft’s infrastructure and appears to originate from within the tenant, it can bypass traditional email security controls,” Varonis notes.
In one case, the emails resembled voicemail notifications and carried a PDF attachment that contained a QR code directing the recipients to a Microsoft 365 phishing page.
“The email originated from an external IP, failed SPF and DMARC checks, and lacked DKIM signatures, yet it was accepted and delivered internally via the smart host. This is a textbook example of how Direct Send can be exploited when left unprotected,” the company notes.
To prevent such attacks, organizations are advised to enable the Reject Direct Send option in the Exchange admin center, to enforce strict DMARC policies and email security controls, and to educate employees on phishing and the risk of QR code attachments.
Enforcing multi-factor authentication (MFA) and a static IP address in the SPF record should also reduce the risk associated with this abuse.
To identify Direct Send abuse, organizations should look in message headers for external IPs sent to the smart host, analyze SPF, DKIM, and DMARC failures, and search for a smart host in the SPF record.
Related: Cloudflare Tunnels Abused in New Malware Campaign
Related: Russian Hackers Bypass Gmail MFA With App-Specific Password Ruse
Related: Google Warns of Vishing, Extortion Campaign Targeting Salesforce Customers
Related: Taming the Hacker Storm: Why Millions in Cybersecurity Spending Isn’t Enough
