A silent crisis is unfolding within Microsoft 365 environments as attackers turn the platform’s own trusted features against its users. The rise of sophisticated phishing campaigns leveraging Microsoft 365’s Direct Send functionality marks a pivotal shift in the cyber threat landscape—one that shakes the very foundation of internal communication trust within enterprises. Unlike traditional phishing that masquerades as external contacts or brands, this new paradigm exploits an often-overlooked mail relay feature, bypassing typical security controls and creating emails that appear to come from a colleague, a department lead, or a trusted internal system. As researchers, practitioners, and everyday users come to grips with this threat, the community dialogue and technical evidence point to pressing risks—and practical countermoves—that every organization urgently needs to understand.

Understanding Direct Send: Convenience Becomes a Double-Edged Sword

Microsoft 365’s Direct Send was conceived as a means to enable on-premises devices (like printers, scanners, or legacy business applications) to easily email users within the corporate domain. The rule is simple: as long as the message is addressed to a valid internal recipient, the infrastructure allows delivery—no standard user authentication is required, and the connection rides on established IP and protocol trust. This setup streamlines workflows, especially for environments reliant on a mix of cloud and legacy on-premises tech.

However, it is precisely this “trust by connection” model that, when not vigilantly regulated, creates a gaping vulnerability. Attackers are now able to inject emails directly into internal mail streams using infrastructure that the organization itself has sanctioned. They don't need valid user credentials or compromised accounts; instead, they abuse misplaced permissions, misconfigured relay appliances, and the innate trust baked into internal traffic flows.

The Anatomy of a Modern Internal Phishing Attack

Step One: Gaining Initial Access

Adversaries often begin by establishing control over a Windows Server 2022 host—typically through exposed Remote Desktop Protocol (RDP) ports like 3389, using either brute-force tactics or credential theft. These hosts, usually leased from legitimate virtual private server (VPS) providers, provide a credible and reliable launchpad for further stages of the attack.

Step Two: Relay Exploitation

The next move is to identify and abuse poorly secured third-party SMTP relay appliances. Many organizations deploy these appliances—sometimes intended as security gateways or for mail archival purposes—without robust authentication or with expired/self-signed SSL certificates. Attackers leverage open management ports (8008, 8010, 8015) or use default credentials to turn these relays into anonymous mail laundries. Some even present valid DigiCert SSL certificates, further cloaking the activity in legitimacy.

Step Three: Crafting the Perfect Impersonation

From these relays, the adversaries inject emails into Microsoft 365 tenants using cleverly spoofed internal sender addresses. These messages—bearing familiar formats like “voicemail notifications,” “task reminders,” or “wire authorization requests”—are nearly indistinguishable from real business communications. The attackers carefully design them to elicit urgent action or entice curiosity, increasing the likelihood of engagement.

Step Four: Message Delivery and Defense Evasion

The abuse of Direct Send means these emails are delivered straight into internal mailboxes—often bypassing frontline security tools. Despite failing SPF, DKIM, or DMARC checks, many of these messages end up in users’ junk folders rather than being blocked. The presumption of internal safety, however, leads users to fish out messages from these folders—eroding the last line of defense that could have stopped the attack from succeeding.

Why Is This Form of Phishing So Effective?

Several factors contribute to the potency and high success rates of these attacks:

  • Implicit Trust in Internal Communications: Users are conditioned to question external emails but believe internal ones to be genuine. This psychological “safe zone” is precisely what the attackers exploit.
  • Bypassing Technical Controls: Security tools and mail policies are typically optimized for external threats, leaving internal flows with lighter scrutiny.
  • Abuse of Legacy and Cloud Infrastructure: Many relays at the boundary of on-premises and cloud environments are not sufficiently hardened, providing attackers the very channel they need.
  • Sophisticated Social Engineering: Campaigns reported by researchers such as Proofpoint have included not only realistic message formats but also fine-tuned timing and subject matter that plays into routine workflows and business cycles.
Not Just Credential Theft: The True Scope of Damage

While credential harvesting remains a core objective, the damage does not stop there. Successful internal phishing can enable:

  • Business Email Compromise (BEC): Fraudulent wire transfer or invoice redirection schemes, often carried out with uncanny precision due to apparent internal origin.
  • Malware/Ransomware Propagation: Malicious attachments, once trusted and opened by employees, can unleash widespread compromise.
  • Lateral Movement: Attackers can pivot from the initial victim to more privileged accounts, increasing the breach’s scope and depth.
  • Erosion of Organizational Trust: Once employees lose faith in internal email integrity, overall productivity and collaboration suffer—a hidden but severe operational cost.
Technical Deep Dive: How Direct Send and SMTP Relay Abuse Combine

Direct Send’s lack of user authentication—relying instead on IP and domain-based “trust boundaries”—is both its greatest convenience and its Achilles’ heel. Unlike authenticated SMTP submission, which is tied to individual mailboxes and generally protected by multi-factor authentication (MFA), Direct Send requires no credentials.

Attackers exploit this by ensuring their mail relay source is within the trusted envelope—either by using compromised infrastructure or opportunistically misconfigured devices. With access to the right relay, all that’s left is to accurately mimic organizational sender address formats—a task made easier by the prevalence of information about internal structure available online or via social engineering.

A Closer Look at Key Infrastructure Exploited

Proofpoint and community analysis have identified attack infrastructure with the following characteristics:

Artifact Type Indicator/Description
SSL Certificate CN=WIN-BUNS25TD77J (self-signed)
IP Addresses 163.5.112.86, 163.5.160.28, 163.5.160.119,
163.5.160.143, 163.5.169.53 (SMTP hosts)
SMTP Ports 8008, 8010, 8015 (open for relays)

Administrators should monitor logs for these and similar fingerprints to catch ongoing compromise attempts.

The Community Perspective: Real-World Impact and Challenges

Discussions and upvotes across Windows-focused security forums indicate a growing recognition of the dangers posed by Direct Send abuse. Security teams share stories of perplexing internal phishing incidents that initially evaded all standard filtering. The consensus is clear: “default-deny” for external threats no longer provides adequate protection in a world where the attack is coming from “inside the house.”

A recurring theme is the challenge of balancing operational needs (such as supporting legacy line-of-business applications or networked printing) against a robust security posture. Community members lament the complexity of auditing all possible relay and mail flow points in large hybrid environments, particularly when IT inherited legacy configurations. There is palpable concern about organizations disabling security controls out of fear of disrupting business-critical automation, only to later discover these same settings left a door open for attackers.

Effective Defenses: What Actually Works?

Security experts and experienced admins don’t mince words: while user training and phishing simulations are important, they cannot substitute for rigorous technical controls. The collective wisdom boils down to several actionable steps, all validated by multiple independent sources:

1. Audit and Limit Direct Send Usage

  • Inventory all usage of Direct Send: If it’s not strictly required, disable it organization-wide (Set-OrganizationConfig -RejectDirectSend $true). For indispensable uses, ensure they are tightly scoped to trusted subnets, authenticated devices, and specific business processes.

2. Harden SMTP Relays and Email Authentication

  • Close open relays; enforce only necessary ports.
  • Apply strict SSL/TLS certificate validation—no expired or self-signed certs.
  • Use strong sender authentication: SPF with hard fail (-all), mandatory DKIM signing, and strict DMARC policies (p=reject for spoofed mail).

3. Beyond Native Defenses: Layered Security

  • Deploy third-party security solutions (e.g., Proofpoint, Mimecast, Cisco Email Security) that analyze mailflow, detect anomalous internal traffic, and leverage threat intelligence.
  • Monitor SIEM solutions for cross-boundary relay use, authentication failures, and changes in normal sender behavior.

4. Optimize End-User Security Measures

  • Augment traditional security training with scenarios specifically focused on internal-looking phishing.
  • Regularly simulate advanced attacks to gauge readiness and reinforce a culture of healthy skepticism—even for internal messages.

5. Incident Readiness

  • Update playbooks to anticipate internal spoofing and relay compromise.
  • Ensure forensic visibility into mail headers, relay traffic, and authentication/reporting logs.
Critical Analysis: Strengths and Weaknesses of the Attack—and Gaps in Defense

Strengths of the Attack

  • Stealth: By mimicking routine workflows, adversaries avoid suspicion and technical warning flags.
  • Operational Discipline: The use of valid certificates, careful relay hygiene, and infrastructure rotation make traditional blocklisting almost useless.
  • Cloud-Native Agility: Attackers can exploit regional Infrastructure-as-a-Service (IaaS) to spin up new relay appliances as old ones are discovered and shut down.

Weaknesses and Defensive Levers

  • Failure of Email Authentication: Even advanced attacks occasionally trip up on SPF, DKIM, or DMARC failures, giving defenders a detection hook—if policies are stringent and monitoring is active.
  • Reliance on Neglected Infrastructure: Attacks depend on finding at least one improperly secured relay.
  • Forensic Breadcrumbs: IP addresses, certificates, and relay logs provide incident responders with material to trace back and react—provided the organization actually reviews these indicators.

Persistent Risks

  • Lack of Visibility: Many organizations do not monitor internal-to-internal email to the same degree as inbound mail, creating blind spots.
  • Operational Disruption Fears: A desire not to interrupt business-critical automation leads to lax controls—and lingering exposure.
  • Evolving Tactics: Adversaries are quickly adapting, turning to new relays or infrastructures as effectiveness wanes in one domain.
The Strategic Imperative: Trust, Zero Trust, and the Future of Email Security

The abuse of Microsoft 365’s Direct Send and the chain of SMTP relay compromise represents a broad warning to anyone invested in email security: no feature, however convenient, is immune from exploitation. The shift to cloud and hybrid work has obliterated the perimeter, and what was once “internal” can now be spoofed by anyone clever enough to subvert the underlying infrastructure.

Enterprises must now think in terms of “zero trust”—not just for user authentication, but for every aspect of communication and workflow. All messages, regardless of perceived origin, should be validated. Continuous monitoring and frequent penetration testing for internal spoofing scenarios must become standard operating procedure. As toolkits and tutorials for Direct Send abuse circulate on underground forums, only organizations with proactive oversight, aggressive configuration management, and layered defense will succeed in keeping the next generation of phishing attacks at bay.

Conclusion: Turning Knowledge into Defense

The rise of internal phishing via Microsoft 365’s Direct Send represents a paradigm shift fraught with new risk—and organizational opportunity. Those who act now, auditing the dark corners of their cloud and legacy infrastructure, implementing strict authentication controls, and teaching users to “trust, but verify” even internal messages, can dramatically reduce exposure.

Microsoft 365’s flexibility is here to stay, but so are adversaries seeking to weaponize that flexibility. The lesson is clear: internal does not always mean trustworthy. In an age of relentless cloud-powered phishing, defenders must turn every feature into a potential point of vigilance, not blind comfort. Only by fusing technical rigor, ongoing education, and a willingness to adapt policies for the realities of hybrid work, can organizations defend not just their systems—but the very trust on which digital business runs.