Exploitation of Microsoft 365 Direct Send to Deliver Phishing Emails as Internal Users
gbhackers
A sophisticated phishing campaign targeting over 70 organizations, predominantly in the US, has been uncovered by Varonis’ Managed Data Detection and Response (MDDR) Forensics team.
This campaign, active since May 2025, exploits a lesser-known feature of Microsoft 365 called Direct Send, which allows devices and applications within a tenant to send emails without authentication.
Designed for internal use such as enabling printers to send notifications Direct Send has been weaponized by threat actors to spoof internal users and deliver phishing emails without ever compromising an account.
Unveiling a Novel Phishing Campaign
By leveraging the smart host format (e.g., tenantname.mail.protection.outlook.com), attackers can send messages that appear to originate from within the organization, bypassing traditional email security controls like Microsoft’s filtering mechanisms and third-party solutions that rely on sender reputation or external routing patterns.
The mechanics of this attack are alarmingly ...
Copyright of this story solely belongs to gbhackers . To see the full text click HERE