Hackers are using Microsoft 365 features to bombard enterprises with phishing emails – and they’ve already hit more than 70 organizations

Phishing email attack concept image showing letter symbols being held by dark colored hands. — (Image credit: Getty Images)

Security experts have warned of a new phishing campaign which exploits Microsoft’s 365’s Direct Send feature to steal credentials – and they’ve already hit more than 70 organizations.

Direct Send is a feature in Exchange Online that allows devices and applications to send emails within a Microsoft 365 tenant. It uses a smart host with a format like "tenantname.mail.protection.outlook.com".

Intended for internal use only, the feature doesn't require authentication, meaning that attackers don’t need credentials, tokens, or access to the tenant, just a few publicly available details.

According to researchers at Varonis, attackers have been taking advantage of this since May to spoof internal users and deliver phishing emails without ever needing to compromise an account.

The victims span multiple verticals and locations, but are mainly US-based organizations.

The attacker used PowerShell to send emails appearing to come from a legitimate internal address via the smart host. Notably, because the email is routed through Microsoft’s infrastructure and appears to originate from within the tenant, it can bypass traditional email security controls.

Microsoft’s own filtering mechanisms, for example, may treat the message as internal-to-internal traffic, while third-party email security solutions often rely on sender reputation, authentication results, or external routing patterns to flag suspicious messages.

The Varonis MDDR Forensics team said it has observed multiple instances across different environments where organizations have received alerts for “abnormal behavior: Activity from stale geolocation to the organization.”

"In one case, the alert was triggered by a Ukrainian IP address, an unexpected and unusual location for the affected tenant," said Tom Barnea, a forensics specialist at Varonis.

"Typically, alerts tied to abnormal geolocation are accompanied by authentication attempts. This time, however, there were no login events, only email activity. Even more unusual, users were sending emails to themselves with PowerShell as the user agent."

How the phishing emails work

In one instance recorded by Varonis, emails were designed to resemble voicemail notifications - complete with a PDF attachment that contained a QR code redirecting users to a phishing site designed to harvest Microsoft 365 credentials.

To stay safe, Varonis recommends that organizations should enable “Reject Direct Send” in the Exchange Admin Center and implement a strict DMARC policy, for example p=reject.

They should flag unauthenticated internal emails for review or quarantine, enforce “SPF hardfail” within Exchange Online Protection (EOP) and use anti-spoofing policies.

User education is also important, as is the use of MFA and conditional access policies, in case a user’s credentials are stolen.

Similarly, organizations should enforce a static IP address in the SPF record to prevent unwanted send abuse, as recommended, but not required, by Microsoft.

"Direct Send is a powerful feature, but in the wrong hands, it becomes a dangerous attack vector," said Barnea.

"If you’re not actively monitoring spoofed internal emails or haven’t enabled the new protections, now is the time. Don’t assume internal means safe."

MORE FROM ITPRO

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.