Skip to main content
Back to Blog
July 30, 2025Threat AdvisoryBy Matt Johnson

Attackers Are Abusing Microsoft 365's Direct Send to Deliver Internal-Looking Phishing

SOClogix IR & SOC Teams Issue Active Campaign Advisory

Our Incident Response and SOC teams have detected a widespread phishing campaign leveraging Microsoft 365's Direct Send feature to spoof internal addresses and bypass standard email protections - targeting financial services, healthcare, and manufacturing organizations.

Active Campaign - July 2025

SOClogix's SOC and IR teams have observed a coordinated campaign targeting organizations across financial services, healthcare, and manufacturing. Attackers are using Microsoft 365's built-in Direct Send capability to deliver phishing emails that appear to originate from legitimate internal addresses - bypassing many standard email security controls.

What Is Microsoft 365 Direct Send?

Direct Send is a legitimate Microsoft 365 feature designed to allow on-premises applications, printers, and multifunction devices to send email through Exchange Online without requiring authentication. It works by relaying email directly through your tenant's MX endpoint.

How It Works (Legitimately)

A printer or application connects directly to [tenant].mail.protection.outlook.com on port 25 and sends email without SMTP authentication. Microsoft routes it internally because it knows the destination domain is hosted in the same tenant.

The Problem

Because Direct Send bypasses SMTP authentication, anyone who knows your tenant's MX hostname can relay email that appears to come from any address at your domain - without credentials. The email originates from Microsoft's own infrastructure, which means SPF checks pass and many anti-phishing rules don't apply.

How Attackers Are Exploiting This

Attack Chain

1

Reconnaissance

Attackers identify the target's Microsoft 365 tenant MX hostname from public DNS records.

2

Spoofed Message Crafted

A phishing email is crafted with a From address matching a real internal user - often an executive, IT admin, or finance contact.

3

Direct Send Relay

The email is sent through the tenant's own MX endpoint on port 25 without authentication. Microsoft routes it internally.

4

Delivered to Inbox

The message arrives appearing to come from the internal address. SPF passes. Many anti-phishing policies treat it as internal mail.

5

Employee Deceived

The recipient sees a familiar name and internal address, trusts the email, and follows the malicious instructions or link.

Why It Bypasses Standard Defenses

SPF: Passes - mail originates from Microsoft IPs
DKIM: May pass if tenant DKIM is configured
External Banners: Often absent - treated as internal
Impersonation Rules: May not trigger if rule checks auth only

What Our Teams Observed

Across multiple client environments, SOClogix IR and SOC analysts identified the following patterns in the active campaign:

Targeted Sectors

Financial services firms (targeting wire transfer approvals), healthcare organizations (targeting HR and benefits systems), and manufacturing companies (targeting procurement and vendor payments).

Lure Content

Emails spoofing CFOs requesting urgent wire transfers, IT admins requesting password resets via malicious link, and HR systems requesting direct deposit updates.

Infrastructure

Phishing links redirect through legitimate URL shorteners and redirect chains before landing on credential-harvesting pages hosted on compromised or newly registered domains.

Timing

Emails were predominantly sent on Monday mornings and Friday afternoons - periods of high email volume and lower individual scrutiny.

How to Close This Gap

Immediate: Disable Direct Send If Not Needed

For most organizations, Direct Send is not actively used or needed. If you do not have printers, copiers, or legacy applications relying on unauthenticated SMTP relay, block it:

  • In Exchange Admin Center → Mail Flow → Connectors, audit all inbound connectors
  • Add a deny rule on your perimeter firewall for unauthenticated port 25 connections to your MX host
  • If devices need to send email, migrate them to SMTP relay with authentication (using a dedicated mailbox or connector)

Detection: Identify Direct Send Abuse in Your Logs

Review your Microsoft 365 message trace logs for emails that:

  • Have a From address at your domain but no corresponding Send As permission in Entra ID
  • Were received with a connector type of "Default" rather than a named authenticated connector
  • Show the sending IP as a Microsoft datacenter IP but have no corresponding sent item in the sender's mailbox
  • Were delivered without a matching DKIM signature or with mismatched header fields

Policy Hardening

  • Configure your anti-phishing policy to apply impersonation protection even to apparent internal senders
  • Create a transport rule to add an external warning banner to ANY email where the From header domain matches yours but the authenticated sender does not
  • Enforce DMARC with p=reject to ensure only authenticated senders can use your domain
  • Enable the "Show first contact safety tip" for all users
  • Require multi-party approval for wire transfers, direct deposit changes, and any high-value financial actions

Action Checklist

  • Audit whether Direct Send is actively used in your environment
  • If not needed, block unauthenticated SMTP relay at the network level
  • Migrate any legitimate use cases to authenticated SMTP relay with a dedicated service account
  • Run a message trace in Exchange Admin Center for suspicious internal-appearing emails
  • Enforce DMARC p=reject and verify DKIM is configured and signing
  • Add a transport rule to flag or quarantine emails spoofing your domain without authentication
  • Update your anti-phishing policy to apply impersonation protection for internal-domain spoofing
  • Train employees on this specific attack pattern - especially finance and HR staff
  • Implement out-of-band verification for all wire transfer or account change requests

About SOClogix

SOClogix provides 24/7 SOC monitoring, incident response, and Microsoft 365 security hardening for SMBs and mid-market organizations. Our team detected this campaign through continuous monitoring of client environments and is actively supporting affected organizations with remediation.

If you believe your organization may have received phishing emails matching this campaign pattern, or if you need help auditing your Microsoft 365 environment, contact us immediately.

Matt Johnson

Matt Johnson

CEO & Founder, SOClogix

Full bio →
Threat AdvisoryMicrosoft 365PhishingDirect SendBECEmail SpoofingDMARCIncident Response