Black Arrow Cyber Alert 18 August 2025 – Microsoft 365 Direct Send abuse enabling internal-appearing phishing

Executive summary

Security researchers and vendors have confirmed active campaigns abusing Microsoft 365’s Direct Send feature to deliver emails that look like they originate from inside an organisation, without any mailbox compromise or authentication. The messages often utilise Microsoft infrastructure and can bypass external security controls, increasing the likelihood of credential theft and business email compromise. Microsoft has released a control that tenants can enable to reject unauthenticated Direct Send. Additional configuration can prevent direct delivery to the tenant when email records are configured to point to a third party. 

What’s the risk to me or my business?

Attackers can send emails that impersonate your own users or departments. Common themes include voicemail or fax alerts and PDFs that contain QR codes leading to credential-harvesting pages. Because delivery uses Microsoft endpoints, messages may appear internal and can evade external filtering paths, undermining user trust and raising the success rate of social engineering and payment fraud.

Increased risk of further exploitation through other vulnerabilities

Successful credential theft enables lateral movement, mailbox rule abuse, internal spear-phishing and financial fraud. Some campaigns inject messages via unsecured third-party relays and VPS infrastructure before final delivery to Microsoft 365, complicating attribution and forensics.

What can I do?

Given active exploitation, immediate action is advised.

1. If you do not need Direct Send, block it
   Enable the organisation setting to reject unauthenticated Direct Send traffic using PowerShell. This blocks anonymous messages where the envelope sender domain matches one of your accepted domains. Test, then monitor for breakage in legacy devices or services.

2. If you need Direct Send, authenticate and restrict it
   Create inbound partner connectors and restrict by TLS certificate (preferred) or by approved IP ranges for printers, applications and third-party services that must send as your domain. Where full rejection is not yet possible, use transport rules to quarantine unauthenticated internal-looking mail while you add exceptions for legitimate sources.

3. Prevent direct delivery bypass when MX points to a third party
   If your MX is not Exchange Online, configure an inbound connector and set restrictions so only your approved gateway path can deliver to the tenant. This closes the direct-to-tenant path that might otherwise bypass external filtering.

4. Strengthen authentication and policy
   Enforce SPF, DKIM and DMARC with a reject policy, and tune anti-spoofing. Treat unauthenticated internal-looking messages as suspicious. Consider transport rules that quarantine them by default.

5. Hunt and monitor
   Use Historical Message Trace, Threat Explorer, or Advanced Hunting to identify messages received without an attributed connector. Hunt for unauthenticated internal-looking mail, composite authentication failures and unusual attachment patterns such as PDFs with QR codes.

6. Prepare users
   Brief staff that internal-looking emails can be forged. Call out common lures and warn specifically about QR-code attachments. Encourage out-of-band verification for sensitive requests.

Technical Summary

Abuse mechanism
Direct Send allows devices and applications to send to internal recipients without authentication via tenant smart hosts such as tenantname.mail.protection.outlook.com. Threat actors send spoofed messages to those endpoints using internal-looking From addresses, often with scripted SMTP clients.

Observed tactics
Lures frequently mimic voicemail or fax notifications and include PDFs with QR codes that resolve to credential harvesters. Some campaigns relay through unsecured third-party email appliances or VPS infrastructure before final delivery.

Why it lands
Messages traverse Microsoft infrastructure and can be treated as internal, so they may land in inboxes or junk despite composite authentication failures, especially where mail routing is complex or controls are not locked down.

Microsoft controls
Microsoft introduced a tenant-wide Reject Direct Send setting, plus guidance on preventing direct delivery to the tenant and on quarantine-first transport rules for organisations not ready to block.

Activity timeline
Campaigns observed since May 2025, with multiple vendors reporting ongoing abuse through July and August 2025.

Further information

• Microsoft Exchange Team: Introducing more control over Direct Send in Exchange Online. Public preview of Reject Direct Send, behaviour and error text. (TECHCOMMUNITY.MICROSOFT.COM)

• Microsoft Exchange Team: Direct Send vs sending directly to an Exchange Online tenant. Lockdown patterns, connectors, hunting and quarantine-first rules. (TECHCOMMUNITY.MICROSOFT.COM)

• Varonis Threat Labs: Ongoing campaign abusing Direct Send to deliver internal-appearing phishing, with timeline and technique details. (Varonis)

• Proofpoint: Attackers abusing M365 for internal phishing, delivery paths via unsecured relays, and recommended mitigations. (Proofpoint)

• Mimecast Threat Intelligence: Direct Send abuse overview, observed artefacts and recommendations. (Mimecast)

• eSentire Advisory: Direct Send abuse leading to internal phishing, QR-code lures and response guidance. (eSentire)

• Barracuda: Securing Microsoft Direct Send, attack summary and guidance. (Barrcuda Blog)

• IRONSCALES: Inside Job: attackers spoofing emails with M365 Direct Send, controls to reduce risk. (IRONSCALES)

• BleepingComputer: Microsoft 365 Direct Send abused to send phishing as internal users. (BleepingComputer)

Need help understanding your gaps, or just want some advice? Get in touch with us. 

#threatadvisory #threatintelligence #cybersecurity