Attackers Are Abusing Microsoft 365's Direct Send to Deliver Internal-Looking Phishing
SOClogix IR & SOC Teams Issue Active Campaign Advisory
Our Incident Response and SOC teams have detected a widespread phishing campaign leveraging Microsoft 365's Direct Send feature to spoof internal addresses and bypass standard email protections - targeting financial services, healthcare, and manufacturing organizations.
Active Campaign - July 2025
SOClogix's SOC and IR teams have observed a coordinated campaign targeting organizations across financial services, healthcare, and manufacturing. Attackers are using Microsoft 365's built-in Direct Send capability to deliver phishing emails that appear to originate from legitimate internal addresses - bypassing many standard email security controls.
What Is Microsoft 365 Direct Send?
Direct Send is a legitimate Microsoft 365 feature designed to allow on-premises applications, printers, and multifunction devices to send email through Exchange Online without requiring authentication. It works by relaying email directly through your tenant's MX endpoint.
How It Works (Legitimately)
A printer or application connects directly to [tenant].mail.protection.outlook.com on port 25 and sends email without SMTP authentication. Microsoft routes it internally because it knows the destination domain is hosted in the same tenant.
The Problem
Because Direct Send bypasses SMTP authentication, anyone who knows your tenant's MX hostname can relay email that appears to come from any address at your domain - without credentials. The email originates from Microsoft's own infrastructure, which means SPF checks pass and many anti-phishing rules don't apply.
How Attackers Are Exploiting This
Attack Chain
Reconnaissance
Attackers identify the target's Microsoft 365 tenant MX hostname from public DNS records.
Spoofed Message Crafted
A phishing email is crafted with a From address matching a real internal user - often an executive, IT admin, or finance contact.
Direct Send Relay
The email is sent through the tenant's own MX endpoint on port 25 without authentication. Microsoft routes it internally.
Delivered to Inbox
The message arrives appearing to come from the internal address. SPF passes. Many anti-phishing policies treat it as internal mail.
Employee Deceived
The recipient sees a familiar name and internal address, trusts the email, and follows the malicious instructions or link.
Why It Bypasses Standard Defenses
What Our Teams Observed
Across multiple client environments, SOClogix IR and SOC analysts identified the following patterns in the active campaign:
Targeted Sectors
Financial services firms (targeting wire transfer approvals), healthcare organizations (targeting HR and benefits systems), and manufacturing companies (targeting procurement and vendor payments).
Lure Content
Emails spoofing CFOs requesting urgent wire transfers, IT admins requesting password resets via malicious link, and HR systems requesting direct deposit updates.
Infrastructure
Phishing links redirect through legitimate URL shorteners and redirect chains before landing on credential-harvesting pages hosted on compromised or newly registered domains.
Timing
Emails were predominantly sent on Monday mornings and Friday afternoons - periods of high email volume and lower individual scrutiny.
How to Close This Gap
Immediate: Disable Direct Send If Not Needed
For most organizations, Direct Send is not actively used or needed. If you do not have printers, copiers, or legacy applications relying on unauthenticated SMTP relay, block it:
- In Exchange Admin Center → Mail Flow → Connectors, audit all inbound connectors
- Add a deny rule on your perimeter firewall for unauthenticated port 25 connections to your MX host
- If devices need to send email, migrate them to SMTP relay with authentication (using a dedicated mailbox or connector)
Detection: Identify Direct Send Abuse in Your Logs
Review your Microsoft 365 message trace logs for emails that:
- Have a From address at your domain but no corresponding Send As permission in Entra ID
- Were received with a connector type of "Default" rather than a named authenticated connector
- Show the sending IP as a Microsoft datacenter IP but have no corresponding sent item in the sender's mailbox
- Were delivered without a matching DKIM signature or with mismatched header fields
Policy Hardening
- Configure your anti-phishing policy to apply impersonation protection even to apparent internal senders
- Create a transport rule to add an external warning banner to ANY email where the From header domain matches yours but the authenticated sender does not
- Enforce DMARC with p=reject to ensure only authenticated senders can use your domain
- Enable the "Show first contact safety tip" for all users
- Require multi-party approval for wire transfers, direct deposit changes, and any high-value financial actions
Action Checklist
- Audit whether Direct Send is actively used in your environment
- If not needed, block unauthenticated SMTP relay at the network level
- Migrate any legitimate use cases to authenticated SMTP relay with a dedicated service account
- Run a message trace in Exchange Admin Center for suspicious internal-appearing emails
- Enforce DMARC p=reject and verify DKIM is configured and signing
- Add a transport rule to flag or quarantine emails spoofing your domain without authentication
- Update your anti-phishing policy to apply impersonation protection for internal-domain spoofing
- Train employees on this specific attack pattern - especially finance and HR staff
- Implement out-of-band verification for all wire transfer or account change requests
Related from SOClogix
About SOClogix
SOClogix provides 24/7 SOC monitoring, incident response, and Microsoft 365 security hardening for SMBs and mid-market organizations. Our team detected this campaign through continuous monitoring of client environments and is actively supporting affected organizations with remediation.
If you believe your organization may have received phishing emails matching this campaign pattern, or if you need help auditing your Microsoft 365 environment, contact us immediately.