Hackers Exploit Microsoft 365’s Direct Send Feature for Internal Phishing Attacks

Threat actors are leveraging Microsoft 365’s Direct Send feature to launch sophisticated phishing campaigns that mimic internal organizational emails, eroding trust and heightening the success rate of social engineering exploits.

This feature, designed for unauthenticated relaying of messages from devices like multifunction printers and legacy applications to internal recipients, allows external attackers to spoof sender addresses without requiring valid credentials.

Proofpoint researchers have documented an ongoing operation where adversaries inject phishing emails via unsecured third-party email security appliances acting as SMTP relays, often hosted on virtual private servers (VPS).

These messages frequently bypass native defenses, appearing in users’ junk folders even when flagged for composite authentication failures, such as SPF, DKIM, or DMARC mismatches.

Campaign Overview and Tactics

The phishing lures are tailored to business contexts, employing pretexts like task reminders, wire transfer authorizations, and voicemail notifications to prompt user engagement.

By exploiting Direct Send, attackers achieve a veneer ...