Microsoft 365 tools exploited for mass spamming of phishing emails, over 70 businesses targeted
In a recent development, security experts have warned of a new phishing campaign targeting organisations using Microsoft 365's Direct Send feature in Exchange Online. This campaign, which has already affected more than 70 organisations, is particularly dangerous as it allows attackers to bypass traditional email security controls and deliver phishing emails that appear to originate from within the targeted organisation.
The phishing emails often resemble voicemail notifications, containing a PDF attachment with a QR code redirecting users to a phishing site designed to harvest Microsoft 365 credentials. One instance involved an alert triggered by a Ukrainian IP address, an unexpected and unusual location for the affected organisation.
The attackers have been using PowerShell to send emails appearing to come from a legitimate internal address via the smart host. Notably, the Direct Send feature doesn't require authentication, making it accessible to attackers without credentials, tokens, or access to the tenant.
To protect against such attacks, organisations should adopt a layered security approach that addresses both technical controls and user awareness.
## Technical Controls
Microsoft introduced a setting called "Reject Direct Send" in April 2025 to help organisations block unwanted use of the Direct Send feature. Enabling this setting prevents unauthenticated actors from exploiting this pathway to send spoofed internal emails. Organisations are advised to enable this setting to secure their systems.
Another crucial measure is implementing a strict DMARC policy (p=reject), which instructs email receivers to reject emails that fail SPF or DKIM checks. This reduces the likelihood of unauthorised emails being delivered. Organisations should also enforce SPF hardfail, moving from a softfail SPF configuration to a hardfail to block unauthorised senders outright. However, organisations should assess the impact on legitimate routing scenarios before making this change.
Organisations should also configure email security solutions to review or quarantine messages that appear to be internal but are not properly authenticated, reducing exposure to spoofed emails. Utilising built-in or third-party anti-spoofing controls to detect and block fraudulent internal sender addresses is also recommended.
Regularly monitoring for suspicious email activity, including unusual patterns or spikes in messages sent via Direct Send, is essential.
## Operational and Awareness Measures
Employee security training is crucial. Staff should be trained to recognise phishing attempts, including QR code phishing and spoofed internal emails. Employees should understand that not all internal-looking emails are trustworthy.
Regularly auditing and updating email security policies and incident response plans to account for new threat vectors such as Direct Send abuse is also important.
Where possible, the use of the Direct Send feature should be limited to only those devices and applications that absolutely require it, reducing the attack surface.
## Additional Considerations
Ensure that smart hosts used for Direct Send are not open to external connections unless absolutely necessary, and validate that they are configured securely. Monitoring for unauthorised PowerShell scripts that may be used to automate phishing attacks through Direct Send is also advisable.
Organisations should enforce a static IP address in the SPF record to prevent unwanted send abuse, as recommended by Microsoft.
By combining these technical and operational measures, organisations can significantly reduce the risk of phishing attacks leveraging the Direct Send feature in Microsoft 365 Exchange Online.
Remember, "Don't assume internal means safe," said Barnea. Stay vigilant and secure your organisation today.
Cybersecurity experts should emphasize the importance of infrastructure security to protect against phishing campaigns targeting Microsoft 365 users, particularly those using the Direct Send feature. Enhancing technology such as implementing the "Reject Direct Send" setting, enforcing a strict DMARC policy, configuring email security solutions, and regularly monitoring for suspicious activity can help secure systems against such attacks. Additionally, operational measures like employee security training, regular audits, and limiting the use of the Direct Send feature should be considered to strengthen overall cybersecurity posture.
