Rise of Internally Spoofed Phishing: Abusing Microsoft 365's Direct Send Feature

A sophisticated phishing campaign is exploiting a legitimate Microsoft 365 feature to bypass security protocols and target organizations with highly convincing, internally spoofed emails. This new wave of attacks, which has already impacted over 70 organizations since May 2025, leverages the "Direct Send" functionality to impersonate employees and steal credentials, posing a significant threat to businesses of all sizes.

Initially designed to allow devices like printers and scanners to send emails without requiring authentication, Microsoft 365's Direct Send feature is now being weaponized by cybercriminals. This method allows attackers to send phishing emails that appear to originate from within the targeted organization, thereby bypassing traditional email security measures that are often focused on external threats.

How the Direct Send Phishing Attack Works

The attack capitalizes on the trust inherent in internal communications. Threat actors abuse the Direct Send feature by using a predictable smart host address associated with the target's domain (e.g., tenantname.mail.protection.outlook.com) to send emails. The key to this attack's success is that it doesn't require the compromise of an actual user account.

Attackers can craft emails using tools like PowerShell and send them from an external IP address to internal recipients. Because these messages are routed through Microsoft's own infrastructure, they often evade standard security filters and are delivered to inboxes, appearing as legitimate internal correspondence.

In many observed cases, these phishing emails are designed to look like voicemail or fax notifications and contain a PDF attachment. This PDF, in turn, includes a QR code that, when scanned, directs the user to a phishing website designed to harvest their Microsoft 365 login credentials.

A Widespread and Evolving Threat

This phishing campaign, which began in May 2025, has primarily targeted organizations in the United States, with over 95% of identified victims based there. However, security experts warn that the technique is likely to spread and target organizations globally, particularly in the UK. The campaign has focused on sectors such as Financial Services, Construction, Engineering, Manufacturing, and Healthcare.

Small and medium-sized enterprises (SMEs) are particularly vulnerable to this type of attack due to often having limited cybersecurity resources and dedicated teams to identify such sophisticated internal spoofing attempts.

Key Characteristics and Indicators of an Attack

Security professionals have identified several key indicators that can help detect this type of phishing activity:

  • Emails Sent from a User to Themselves: This is often an unusual behavior for end-users.
  • Use of PowerShell or CLI-based Email Clients: These tools are not typically used for sending emails in a corporate environment.
  • Unusual Geolocation of Email Origin: An email originating from an unexpected geographical location, without a corresponding login event, is a major red flag.
  • Suspicious Email Subjects: Subjects like "Caller Left VM Message" or "New Missed Fax-msg" have been associated with this campaign.
  • QR Codes in Attachments: The presence of a QR code within a PDF attachment should be treated with extreme caution.
  • Email Header Anomalies: Analysis of email headers may reveal that the email originated from an external IP, failed SPF and DMARC checks, and lacks a DKIM signature, yet was still delivered internally via the smart host.

Mitigating the Risk: A Multi-Layered Approach

To defend against this emerging threat, organizations are urged to adopt a multi-layered security strategy that combines technical controls with employee education.

Technical Mitigation Strategies:

  • Review and Restrict Direct Send: If not essential for business operations, consider disabling or restricting Direct Send.
  • Enforce Stricter Email Authentication: Implement and enforce strict DMARC, DKIM, and SPF policies to help detect and block spoofed emails.
  • Multi-Factor Authentication (MFA): Enforcing MFA is a critical step in reducing the risk associated with credential theft.
  • Static IP in SPF Record: Including a static IP address in the SPF record can help mitigate abuse.

Security Awareness and Training:

  • Employee Education: Train employees to be vigilant about phishing attempts, especially those that appear to be internal.
  • Verification Procedures: Encourage employees to verify suspicious requests through alternative communication channels before clicking on links or scanning QR codes.
  • Reporting Suspicious Emails: Establish a clear process for employees to report suspicious emails to the IT or security team for investigation.