Phishing, once typified by crude email scams and glaring grammatical missteps, has evolved with ruthless efficiency in today’s cloud-first workplaces. Nowhere is this threat more acute than in environments running Microsoft 365, the backbone of modern digital collaboration. A recent in-depth analysis and user reports have shone a harsh light on a particularly insidious and rising danger: exploitation of the Microsoft 365 “Direct Send” feature for internal phishing campaigns—a tactic that blends technical sophistication with psychological manipulation, and which has outpaced traditional security architectures.

Anatomy of the Threat: How Microsoft 365’s Direct Send Became a Weapon

Direct Send, by design, is a convenience feature. Its purpose is to allow internal networked devices—such as multifunction printers, old-line business apps, or on-prem legacy tools—to send email directly to organizational inboxes without requiring strict user-level authentication or credentials. All that’s needed: the message’s destination must be internal (i.e., within the corporate domain); external emails are not supported. The intent is operational efficiency, particularly in mature enterprises with a mixture of legacy and modern systems.

But there’s a catch. As Proofpoint researchers and independent threat labs have demonstrated, Direct Send’s reliance on trusted infrastructure, rather than strong sender verification, opens a gaping door for abuse. Attackers with knowledge of a company’s email format and domain can craft and deliver messages that appear to originate from within the organization. These messages, lacking the typical hallmarks of suspicious external traffic, often slide past standard anti-phishing filters and land directly in users’ main inboxes or, at worst, the junk folder—a location many users routinely check.

A Playbook for Internal Deception: What Makes These Attacks So Potent?

At the center of this abuse is a multi-stage chain of compromise:

  1. Initial Access: Attackers gain remote desktop (RDP) access, typically on port 3389, to Windows Server 2022-powered virtual hosts—often leased from virtual private server (VPS) or IaaS providers. These servers act as staging grounds for coordinated attacks.

  2. Relay Exploitation: The attackers identify poorly-secured SMTP relay appliances—often third-party email security devices installed for filtering or compliance, but neglected or running default configurations. Critically, many feature valid DigiCert SSL certificates (for credibility) and support encrypted SMTP authentications such as AUTH PLAIN LOGIN with STARTTLS. However, they frequently have backdoors open on ports (8008, 8010, 8015) — sometimes protected by nothing stronger than expired or self-signed certificates.

  3. Message Injection: From the compromised relay appliances, attackers inject phishing messages—spoofed to appear as legitimate internal communications—directly into Microsoft 365 workflows. Since Direct Send does not require credentials, the illusion of authenticity is nearly perfect for unwary recipients.

  4. Delivery and Authentication Failure: Even when Microsoft 365’s composite authentication detects anomalies (SPF, DKIM, or DMARC failures), the system commonly relegates these messages to junk rather than rejecting them outright. End-users—trained to trust internal senders—may retrieve and act on these messages despite subtle warnings.

The Psychology of Internal Phishing: Why Users Fall for It

Unlike classic phishing, where an email from a “Nigerian prince” or a fake bank throws off obvious red flags, internal phishing campaigns leverage the implicit trust employees have in internal communications. Common lures mimic routine business operations:
- Voicemail or call notifications
- Task reminders with specific dates
- Payment and wire transfer authorizations
- Urgent payroll or department head updates

These messages copy the cadence and appearance of normal workflow, are often customized using public information, and take advantage of the fact that users are generally less suspicious—or more pressured to respond—when an email appears to come from a boss, IT administrator, or familiar internal tool.

Case Study: Quishing—QR Code Phishing with Direct Send

Recent campaigns, such as those detailed by Varonis Threat Labs and other cybersecurity researchers, have upped the ante with “quishing”—embedding malicious QR codes inside seemingly routine internal emails. These QR codes, when scanned, direct employees to credential-harvesting pages meticulously crafted to mirror authentic Microsoft 365 login screens. This method not only evades traditional email content scanning but weaponizes trusted formats like PDF attachments and voicemail notifications.

Varonis found that since May 2025, over 70 organizations—spanning finance, healthcare, insurance, and manufacturing—have been targeted by Direct Send quishing attacks. Most of the targets were in the U.S., underscoring both the pervasiveness and the effectiveness of this tactic within organizations reliant on Microsoft 365 for daily operations.

Attack Infrastructure: Blending In to Evade Detection

What sets this threat apart is the technical effort devoted to evasion and persistence:
- Cloud Infrastructure Abuse: By relaying phishing emails through trusted third-party appliances using valid certificates and modern encryption protocols, attackers seamlessly blend into normal business traffic.
- Rapid Turnover: IP addresses, host certificates, and relay devices are frequently rotated to evade blocklists or signature-based detection.
- Forensic Breadcrumbs: Each phase of the attack leaves behind artifacts—expired or self-signed SSL certificates, specific IP addresses (e.g., 163.5.112.86, 163.5.160.28, and others), and telltale composite authentication failures (“compauth=fail” headers). While these details offer forensic opportunity, they also highlight the breadth and depth of the attackers’ resources.

Community Insights: Real-World Challenges and Organizational Impact

Discussion threads on technical forums reveal growing anxiety and frustration among IT administrators and security teams. Many organizations, especially those with aging infrastructure or a blend of cloud and on-prem solutions, struggle to maintain airtight relay configurations or keep up with required certificate management.

Comments from practitioners highlight recurring obstacles:
- Balancing Productivity with Security: Aggressive anti-spoofing or disabling Direct Send altogether can disrupt legitimate workflows—users still need printers and legacy apps to function, especially in manufacturing, healthcare, and finance.
- Security Training Is Not Enough: Even regular phishing simulations and awareness sessions fall short if the technical scaffolding isn’t in place; staff may ignore “junk” alerts, or succumb to urgency under deadline pressure.
- Threats Outpace Defenses: With attackers continually refining their social engineering methods and leveraging automation, the risk surface expands faster than most in-house teams can adapt.

Technical and Process Recommendations: Closing the Loophole

The combined advice of researchers, product documentation, and community expertise points to a multi-layered defense strategy:

1. Audit and Harden Direct Send Usage

  • Disable Direct Send across the organization if possible (e.g., via PowerShell: Set-OrganizationConfig -RejectDirectSend $true). Exceptions must be tightly managed, audited, and justified.
  • Enumerate and restrict the list of devices permitted to relay mails—use authenticated, single-purpose mailboxes and IP whitelisting for indispensable endpoints.

2. Secure Gateway and Appliance Infrastructure

  • Patch and update all third-party security appliances and SMTP relays.
  • Close unused ports, enforce the use of valid, non-expired SSL/TLS certificates, and configure stringent anti-relay rules.
  • Remove unsupported legacy devices from production, or at minimum, place them behind additional network segmentation.

3. Strengthen Authentication and Policy Enforcement

  • Enforce rigorous DMARC, SPF, and DKIM policies with hard fail and reject/quarantine actions—not merely monitoring.
  • Monitor composite authentication results (“compauth=fail” in mail headers) and alert on any anomalous internal-to-internal messages.

4. Leverage Advanced Security and Threat Intelligence

  • Layer third-party, AI-powered email security tools (e.g., Proofpoint, Mimecast, Cisco) atop Microsoft’s built-in solutions to close detection gaps.
  • Implement real-time sandboxing for attachments and suspicious links.
  • Subscribe to threat feeds and routinely crosscheck environment logs against known indicators of compromise.

5. Build and Test Incident Response Playbooks

  • Update playbooks to specifically include internal phishing and relay-based impersonation scenarios.
  • Ensure forensic collection (headers, relay logs) is comprehensive, enabling rapid reconstruction of attack paths.

6. User Training—with Technical Backstop

  • Regular, scenario-based phishing training remains important, but alone is insufficient.
  • Simulated internal phishing should be staged to test readiness, but technical controls are needed to reinforce behavioral defenses.

Critical Analysis: The Bigger Picture—Strengths, Weaknesses, and Evolving Risks

Strengths of the Attack Vector

  • Exploits Trust: Messages that appear internal carry an authority that is hard to replicate with “external” phishing.
  • Evades Perimeter Security: Most anti-phishing and anti-spam tools still focus on filtering inbound, external emails—not internal traffic.
  • Abuses Trusted Infrastructure: Chaining legitimate cloud services and certified relays makes detection exponentially harder.

Weaknesses and Opportunities for Defense

  • Authenticated Failures Leave Traces: Even sophistically crafted attacks often fail SPF, DKIM, or DMARC, providing admins a possible detection lever.
  • Dependency on Misconfigured Appliances: Many attacks rely on known or easily discoverable weaknesses in relays and certificates—a fixable problem with the right investment.

Persistent and Emerging Risks

  • Operational Hesitancy: IT teams are reluctant to implement strict mail flow or authentication policies that might interrupt critical workflows—a tension attackers exploit.
  • Rapid Attacker Adaptation: Malicious actors quickly iterate on relay infrastructure and social engineering, constantly refreshing their approaches.
  • Blurring of Internal/External Boundaries: Cloud adoption and hybrid workplaces make the concept of a “trusted” perimeter obsolete; adversaries continually exploit this shift.

The Path Forward: Proactive, Layered Cloud Security

The abuse of Microsoft 365’s Direct Send is not an isolated exploit; it is emblematic of the larger transformation of trusted cloud services into potent vectors for attack. With the boundary between internal and external increasingly porous, a new security paradigm is required—one that combines process rigor, technical controls, threat intelligence, and relentless user education.

Enterprises must move from “good enough” email hygiene to proactive, adaptive security frameworks that anticipate adversary innovation rather than merely reacting to yesterday’s threat. Trust, once broken—even in internal communications—is difficult to restore. As defenders, the imperative is not simply to keep attackers out, but to make every attempted exploitation increasingly expensive, visible, and short-lived.

The evolving Microsoft 365 threat landscape reminds us: The greatest risk often hides behind the most familiar face. It is what we trust most that may one day surprise us the most—and that trust is a vector every security strategy must now rigorously defend.