Microsoft 365 Direct Send Abused for Phishing

Microsoft 365 Direct Send has been abused in a phishing campaign to deliver spoofed messages that appear to originate from within the victim’s organization, Varonis warns.

An Exchange Online feature, Direct Send allows applications and devices to send emails within the tenant. It relies on a smart host and does not require authentication for email generation.

According to Varonis, threat actors have discovered a way to abuse the feature’s lack of authentication to send spoofed emails that bypass security controls, all without having to compromise an account within the target organization.

Because smart host addresses follow a predictable pattern, the attacker only needs to identify the organization’s domain and a valid recipient, and then abuse the Direct Send setup to send phishing emails, “without ever logging in or touching the tenant”, Varonis says.

In the phishing campaign observed by the cybersecurity firm, because the smart hosts were ...