Weaponizing Microsoft 365 Direct Send to Bypass Email Security Defenses

Security researchers at StrongestLayer, in collaboration with Jeremy, a seasoned Security Architect at a major manufacturing firm, have exposed a multi-layered spear phishing attack that exploits Microsoft 365’s Direct Send feature to infiltrate corporate email systems.

The campaign, flagged initially by StrongestLayer’s AI system TRACE, masqueraded as innocuous voicemail notifications from services like RingCentral, but forensic analysis revealed a calculated blend of authentication bypasses, obfuscated payloads, and hyper-personalized lures designed to harvest credentials from even vigilant users.

This incident underscores the evolving tactics of adversaries who weaponize legitimate cloud features against enterprise defenses, highlighting the critical intersection of automated AI detection and human-led investigation.

Sophisticated Spear Phishing Campaign

The attack chain began with emails exhibiting header anomalies that TRACE identified as inconsistent with legitimate traffic, including failures in SPF, DKIM, and DMARC authentication protocols.

These messages originated from unauthorized IP addresses tied to generic hosting providers in the ...