top of page

Microsoft 365 Direct Send Phishing: How Internal-Looking Emails Bypass Defenses

  • Writer: Inception Security
    Inception Security
  • 4 days ago
  • 5 min read

Updated: 3 minutes ago

ree


Phishers are increasingly abusing a little-known Microsoft 365 feature called Direct Send to make malicious emails appear to come from within your company. In July 2025, researchers disclosed a widespread campaign that sends spoofed internal emails using Direct Send. Because the messages appear to originate from a trusted internal address, they often bypass standard email authentication checks and land in a user’s junk folder or even their inbox. Small and mid-size businesses (SMBs) are especially at risk because they often lack dedicated email-security teams and may rely on default Microsoft 365 settings.

This blog explains how Direct Send works, how attackers abuse it, why the technique is so dangerous for SMBs, and how to remediate the risk. At the end, we offer a free Microsoft 365 assessment from Inception Security to help you evaluate your environment and close exposure gaps.


What is Direct Send?


Microsoft built Direct Send for a narrow use case: letting on-premises devices or line-of-business applications send email inside your tenant without modern authentication. When a device such as a multifunction printer needs to email scanned documents, it opens an anonymous SMTP connection to your tenant’s smart host (tenant.mail.protection.outlook.com) on port 25. The device stamps a From address that belongs to one of your accepted domains and Exchange Online treats the message as incoming internet mail and applies the normal anti-spam pipeline. Delivery is allowed only to recipients in your tenant, so external relaying is not supported.


Because the connection is anonymous, Direct Send carries two important

obligations:

  • Restrict who can use it – ideally, only known IP addresses of trusted devices.

  • Enforce SPF, DKIM, and DMARC – forged mail should be caught by your policies.


Microsoft warns that Direct Send is for advanced customers willing to accept the operational responsibilities of email-server admins. Starting in April 2025, Microsoft introduced a tenant-level switch, RejectDirectSend, that rejects anonymous Direct Send traffic. New tenants created after mid-2025 have this block enabled by default.


How criminals twist the feature


Attackers take advantage of the lack of authentication to send fake internal messages without ever logging in. A typical attack chain looks like this:


  • Reconnaissance: Query DNS to derive the target organisation’s MX record and therefore the Direct Send smart host (company-com.mail.protection.outlook.com). Harvest internal email addresses from OSINT sources or guess common naming conventions.

  • Spoof and Send: Use a script or PowerShell’s Send-MailMessage cmdlet to connect to the smart host. Forge the MAIL FROM and From headers with the target’s domain. Attach a compelling lure such as a PDF with a QR code for a “missed voicemail” or “wire authorization”. Example command:

Send-MailMessage -SmtpServer company-com.mail.protection.outlook.com \ -To user@company.com -From user@company.com \ -Subject "New Voicemail" \ -Body "Please review" -BodyAsHtml

  • Because the smart host accepts anonymous traffic, no credentials are needed. Direct Send treats the message as internal, and it often bypasses third-party email-security solutions.

  • Exploit trust: The message travels through Microsoft’s backbone. To the recipient,

    it looks like an ordinary internal mail. If the organisation’s anti-spam rules treat internal messages differently, the phishing email may land in the inbox. Many victims scan the QR code with a smartphone and are sent to a fake Microsoft login page that steals their credentials.


Proof-of-concept and observed payloads


Researchers have shown that a single-line PowerShell command can abuse Direct Send to deliver spoofed emails. The observed campaigns used PDF attachments with QR codes (sometimes called quishing) to evade link-scanning filters. Subjects included “Your To-Do List”, “New Missed Fax-msg”, “Wire Authorization Approval”, and similar business-themed reminders. The attachments often contained names like Fax-msg.pdf, Play_VM-Now.pdf, or Listen.pdf and directed the user to scan a QR code. When scanned, the code led to a phishing site that harvested Microsoft 365 credentials. Attackers used VPS infrastructure to send these messages and frequently rotated IP addresses.

Why SMBs are especially vulnerable


While large enterprises often have dedicated security teams and layered email defenses, small and mid-size businesses may rely on Microsoft 365’s default spam filters and trust internal messages implicitly. Direct Send abuse undermines that trust.

  • SMBs often allow printers and legacy devices to use Direct Send without restricting the source IPs.

  • Many domains still use a soft-fail (~all) SPF policy and lenient DMARC settings, which cause failed authentication results to be treated as spam rather than rejected.

  • Transport rules that lower spam scores for messages where the sender’s domain equals the recipient’s domain can inadvertently wipe out risk signals.

  • Attackers exploit these gaps to get phishing messages delivered internally.


Indicators of compromise


Look for these signals in email headers, mail-flow logs, and firewall logs:

Indicator

Example / What to look for

Why it matters

Malicious sender IPs

External IPs observed relaying through tenant smart-hosts

Attackers often use multiple IPs to rotate infra

Subjects & attachments

“Caller Left VM Message”, “New Missed Fax-msg”; PDFs w/ QR code

Consistent across campaigns; drive users to phish

Header anomalies

Received header shows smart host → internal mailbox, SPF fail

Spoofed but delivered internally

Anomalous user agents

PowerShell or command-line user agents in message logs

Not typical of legitimate user mail flow

Defending against Direct Send abuse

  1. Determine if you need Direct Send. For many organizations, the honest answer is no. Modern printers can authenticate with SMTP AUTH or Microsoft Graph, and SaaS platforms can use OAuth or secure connectors. If you still have devices that must relay anonymously, ensure they use a static outbound IP and build an inbound connector scoped to that IP. Otherwise, disable the feature.

  2. Enable the RejectDirectSend setting. In April 2025, Microsoft introduced Set-OrganizationConfig -RejectDirectSend $true. Enabling this switch rejects any unauthenticated Direct Send attempt within about 30 minutes and is now enabled by default for new tenants. Combine this with a strict DMARC p=reject policy and SPF hard-fail to ensure spoofed messages are blocked.

  3. Harden email authentication

    • Review message traces for mail where the Received header shows your MX host followed by a public IP you don’t own.

    • List only legitimate senders and device IPs in SPF; prefer -all (hard fail).

    • Enable DKIM for every custom domain.

    • Enforce DMARC, progressing to p=reject.

    • Remove any mail rules that lower spam scores just because sender and recipient domain match.

    • Keep “Spoof intelligence” and “Unauthenticated sender indicators” enabled in Microsoft 365 Defender.

  4. Monitor for abuse and educate users

    • Hunt for external IPs hitting your smart host and for self-addressed mail or unexpected PowerShell Send-MailMessage usage.

    • Alert or quarantine any message that fails SPF/DKIM/DMARC but appears internal.

    • Educate users about QR-code phishing and reinforce that "internal" doesn't always mean "safe."

    • Require multi-factor authentication (MFA) for all users.

  5. Consider layered email defensesThird-party secure email gateways and advanced threat protection can examine attachments and URLs—even in internal-appearing mail.


How Inception Security Can Help


Defending against Direct Send abuse requires visibility into your mail flow and authentication posture. Many SMBs don’t realize which devices or applications are still using anonymous SMTP.


Inception Security offers a free Microsoft 365 security assessment. This assessment reviews your environment for configuration gaps and common risks—such as weak access controls, insecure legacy settings, and exposure to internal phishing techniques like Direct Send abuse. You’ll receive a clear HTML report that shows what’s vulnerable, what needs attention, and practical steps to improve your security posture.


To schedule your free assessment, contact Inception Security. We’ll help you identify Direct Send risks and strengthen your Microsoft 365 security.


Conclusion


Microsoft 365’s Direct Send was designed for printers and legacy apps, but threat actors are exploiting it to deliver internal-looking phishing emails. The recent campaign shows how a simple unauthenticated SMTP connection, combined with a QR-code-laden PDF, can bypass standard protections and trick users into giving up credentials. SMBs are particularly vulnerable because they often lack strict email-authentication policies and may trust internal messages by default. By understanding how Direct Send works, tightening your SPF/DKIM/DMARC configurations, enabling the new RejectDirectSend setting, and educating users, you can mitigate this emerging threat. And if you need help, Inception Security’s free Microsoft 365 assessment will help you see exactly where you stand.

Comments

bg-map-white.png

INCEPTION SECURITY™

A cybersecurity company with in depth knowledge of the threat landscape and security controls.

NAVIGATION

Home

About 

Services

Partners

Privacy

Contact us

Cyber Incident

Terms and Conditions

GET IN TOUCH

Phone: +1 (888) 427-2937

© 2023 All Rights Reserved by INCEPTION SECURITY™ .

bottom of page