Cybercriminals are exploiting a lesser-known Microsoft 365 feature called Direct Send, originally intended to support internal devices like printers, to send emails that appear to come from trusted coworkers. These spoofed emails often bypass standard security checks, making them especially dangerous. 

Why It Matters 

Internal Email Spoofing Without Login Credentials 

Attackers are abusing Direct Send to send fake emails from your own domain,and in some cases, the message may even appear to be sent from you to you. This technique requires no credentials, no gateway access, and no login. 

What’s Happening 

Our GoSecure Titan® IDR team has observed campaigns abusing Direct Send by sending spoofed messages directly to Microsoft’s smart host (e.g., mail.protection.outlook.com). The attacker manipulates the email headers to make the message appear internal, even though it’s from an external, unauthorized IP address. 

Here’s a sample from a flagged header: 

Received: from [141.95.71.213] (141.95.71.213) by
SA2PEPF00003AEA.mail.protection.outlook.com with Microsoft SMTP Server

Why It Works 

  • No login required: Microsoft’s infrastructure accepts mail routed via Direct Send to internal recipients. 
  • Spoofed sender: The attacker sets the “From” address as any internal user. 
  • Bypasses filters: Microsoft’s filters treat the message as internal, making it harder to catch. 
  • Evades detection tools: These emails may avoid third-party tools looking for external signs of compromise. 

How to Detect Direct Send Exploits 

Header Red Flags 

  • Emails received through Microsoft smart hosts from unauthorized external IPs 
  • Authentication failures (SPF, DKIM, DMARC) on your own domain 
  • Mismatched X-MS-Exchange-CrossTenant-Id values 
  • Strange entries in SPF records 

Behavioral Red Flags 

  • Emails sent from users to themselves 
  • Foreign or suspicious IPs 
  • Unexpected attachments or odd filenames 

What You Can Do 

Enable RejectDirectSend in O365  

Reject Direct Send
Microsoft has introduced an opt-in feature to block unauthenticated Direct Send messages. Enable it using PowerShell: 

Once enabled, unauthorized messages will be blocked with: 

550 5.7.68 TenantInboundAttribution; Direct Send not allowed for this organization from unauthorized sources 

Additional Mitigation Steps: 

  • Implement a strict DMARC policy 
  • Flag unauthenticated internal mail for review or quarantine 
  • Enforce SPF hardfail in Exchange Online Protection (EOP) 
  • Set anti-spoofing rules in Microsoft Defender 

Considerations 

Please be aware that not all Direct Send emails are malicious. By enabling RejectDirectSend you may block some legitimate emails. Examples of legitimate use of Direct Send include: 

  • Automated reports from internal tools 
  • Scripted alerts or backups 
  • Authorized third-party platforms (HR, CRM, marketing) 

If in doubt, do not click. Report it to your security team. 

How GoSecure Is Helping 

Our GoSecure Titan® IDR team is actively monitoring for this exploit and updating detection content. We’re also tightening backend rules in our infrastructure to reduce the likelihood of false internal trust. 

If you need support reviewing your configuration or want help enabling protective measures, our team is ready. 

Take Action Today
Sophisticated phishing threats can appear completely legitimate. If you’d like to assess your exposure or configure safer defaults, contact GoSecure today. 

GoSecure Titan® Managed Extended Detection & Response (MXDR)​

GoSecure Titan® Managed Extended Detection & Response (MXDR)​ Foundation

GoSecure Titan® Vulnerability Management as a Service (VMaaS)

GoSecure Titan® Managed Security Information & Event Monitoring (Managed SIEM)

GoSecure Titan® Managed Perimeter Defense​ (MPD)

GoSecure Titan® Inbox Detection and Response (IDR)

GoSecure Titan® Secure Email Gateway (SEG)

GoSecure Titan® Threat Modeler

GoSecure Titan® Identity

GoSecure Titan® Platform

GoSecure Professional Security Services

Incident Response Services

Security Maturity Assessment

Privacy Services

PCI DSS Services

Penetration Testing Services​

Security Operations

MicrosoftLogo

GoSecure MXDR for Microsoft

Comprehensive visibility and response within your Microsoft security environment

USE CASES

Cyber Risks

Risk-Based Security Measures

Sensitive Data Security

Safeguard sensitive information

Private Equity Firms

Make informed decisions

Cybersecurity Compliance

Fulfill regulatory obligations

Cyber Insurance

A valuable risk management strategy

Ransomware

Combat ransomware with innovative security

Zero-Day Attacks

Halt zero-day exploits with advanced protection

Consolidate, Evolve & Thrive

Get ahead and win the race with the GoSecure Titan® Platform

24/7 MXDR FOUNDATION

GoSecure Titan® Endpoint Detection and Response (EDR)

GoSecure Titan® Next Generation Antivirus (NGAV)

GoSecure Titan® Security Information & Event Monitoring (SIEM)

GoSecure Titan® Inbox Detection and Reponse (IDR)

GoSecure Titan® Intelligence

OUR SOC

Proactive Defense, 24/7

AICPA SOC Logo - Black

ABOUT GOSECURE

GoSecure is a recognized cybersecurity leader and innovator, pioneering the integration of endpoint, network, and email threat detection into a single Managed Extended Detection and Response (MXDR) service. For over 20 years, GoSecure has been helping customers better understand their security gaps and improve their organizational risk and security maturity through MXDR and Professional Services solutions delivered by one of the most trusted and skilled teams in the industry.

EVENT CALENDAR

LATEST PRESS RELEASE

GOSECURE BLOG

SECURITY ADVISORIES

 24/7 Emergency – (888)-287-5858