Microsoft 365 ‘Direct Send’ is a feature designed to allow devices and applications—such as printers, scanners, or cloud services—to send emails directly to internal recipients within an organization without requiring traditional email authentication like usernames and passwords. While this is convenient for legitimate business needs, it has also become a significant security risk via an ongoing phishing campaign.
How Direct Send works
Direct Send does not require a username and password, making it convenient for devices and applications that cannot store or use credentials securely. Despite the lack of authentication, the process ensures emails can only be sent to recipients within the organization’s Microsoft 365 tenant; messages to external domains are rejected.
Direct Send in Microsoft 365 is primarily designed for scenarios where devices or applications need to send email messages to internal recipients within the organization, but cannot or should not authenticate as a full mailbox user. For instance, devices like multifunction printers (MFPs) that scan documents and send them as email attachments to users within the organization or software used for business operations—such as appointment scheduling apps, customer relationship management (CRM) systems, or inventory management tools—that need to send notifications or reminders to internal staff or team members. It is also commonly used for automated systems that monitor network health, security events, or other operational metrics and send alerts or reports to internal recipients.
How Direct Send is Abused for Phishing
Attackers have discovered that Direct Send can be exploited to send phishing emails that appear to originate from internal users. Since Direct Send does not require authentication, anyone who knows the organization’s domain and the Direct Send endpoint (typically a “smart host” like tenant.mail.protection.outlook.com) can send email to internal recipients, spoofing the sender address as if it were from a legitimate internal user. The spoofed emails look like they come from within the organization, making them more convincing to recipients. If the spoofed sender is a real user, features like profile pictures and Teams information can further increase the email’s credibility. Of course, many email security systems are less likely to flag or block these emails because they appear to be internal and may not trigger traditional anti-spoofing or anti-phishing protections.
All the hacker needs is an internal email address, which isn’t hard to obtain. Attackers can use information from previous data breaches or open-source intelligence to identify valid internal email addresses, making their phishing attempts more targeted and effective.
Recent Campaigns and Impact
The technique has technically existed since 2016, and researchers have known about the method since late 2023 or early 2024. However, recent phishing campaigns have been discovered actively abusing Direct Send to send credential-stealing emails that bypass detection by email security solutions. This technique is now widely recognized as a significant threat, especially since it is relatively easy for attackers to identify vulnerable organizations and enumerate internal users.
Mitigation and Recommendations
Microsoft has acknowledged the risks and taken steps to help organizations protect themselves. In April 2025, Microsoft introduced a “Reject Direct Send” setting in the Exchange Admin Center, allowing organizations to block Direct Send unless they specifically require it. Organizations are advised to force all incoming mail through a trusted mail proxy (like Mimecast or Proofpoint) and configure connector rules in Exchange Online to block mail from untrusted sources.
Organizations should also enforce strict SPF, DKIM, and DMARC policies to reduce the risk of spoofing and ensure only authorized sources can send email on behalf of their domain and of course, use Microsoft Defender for Office 365 to implement anti-phishing and anti-spoofing policies, and consider increasing the phishing threshold for more aggressive protection.
It goes without saying that they should reeducate users to be cautious of internal-looking emails, especially those requesting sensitive information or actions.
Key Indicators of a Fraudulent Internal Email
The attack is very difficult for a business owner to discern. Here are some key indicators they can use:
• Unusual or Urgent Requests: Phishing emails like this often contain urgent calls to action, such as requests to verify credentials, review documents, or reset passwords. Legitimate internal communications rarely require immediate action without prior notice or context.
• Generic or Impersonal Greetings: Many phishing emails use generic salutations like “Dear user” instead of addressing the recipient by name, which is uncommon in genuine internal messages.
• Spelling and Grammar Errors: Professional organizations usually proofread their communications. Obvious errors or awkward phrasing can be a red flag.
• Suspicious Links or Attachments: Hovering over links may reveal URLs that do not match the organization’s domain or appear unrelated to the purported sender.
• Mismatched Sender Details: Even if the sender address looks correct, the display name, signature, or email structure may differ from known internal formats. Some phishing attempts use subtle misspellings or extra characters in the domain.
• First-Time or Infrequent Senders: If the email comes from a sender who rarely or never contacts the recipient, or if the sender is unknown, extra caution is warranted.
Technical and Administrative Tools
There are technical tools that can help differentiate these spoofed emails from legit communications.
• Spoof Intelligence Insight: Administrators can use Microsoft Defender for Office 365 to review spoof intelligence reports, which identify emails from internal domains that may have been spoofed. This helps detect when legitimate internal addresses are being used by unauthorized senders.
• Threat Explorer/Real-Time Detections: These tools allow security teams to investigate and track suspicious emails that have been delivered to user mailboxes, including those that may have bypassed initial security checks.
• Email Authentication Checks: Organizations should enforce SPF, DKIM, and DMARC policies to help detect and block spoofed emails. However, Direct Send abuse may bypass some of these checks, so additional vigilance is needed.
• User Reporting: Employees can report suspicious emails using the “Report phishing” feature in Outlook, which helps security teams quickly identify and respond to threats.
Summary of Fraudulent Direct Send Indicators
| Indicator/Tool | Description/How to Use |
|---|---|
| Urgent or unusual requests | Be wary of sudden demands for sensitive info or actions |
| Generic greetings | Look for impersonal or vague salutations |
| Spelling/grammar errors | Errors may indicate a scam |
| Suspicious links or attachments | Hover over links; check for mismatched or odd URLs |
| Mismatched sender details | Compare sender info with known internal contacts |
| Spoof Intelligence Insight | Use Defender to detect spoofed internal emails |
| Threat Explorer/Real-Time Detects | Investigate suspicious delivered emails |
| Email authentication (SPF/DKIM/DMARC) | Enforce to help block spoofing (but not always sufficient) |
| User reporting | Use Outlook’s “Report phishing” to alert security teams |
