Security experts have warned of a new phishing campaign which exploits Microsoft’s 365’s Direct Send feature to steal credentials – and they’ve already hit more than 70 organizations.
Direct Send is a feature in Exchange Online that allows devices and applications to send emails within a Microsoft 365 tenant. It uses a smart host with a format like "tenantname.mail.protection.outlook.com".
Intended for internal use only, the feature doesn't require authentication, meaning that attackers don’t need credentials, tokens, or access to the tenant, just a few publicly available details.
According to researchers at Varonis, attackers have been taking advantage of this since May to spoof internal users and deliver phishing emails without ever needing to compromise an account.
The victims span multiple verticals and locations, but are mainly US-based organizations.
The attacker used PowerShell to send emails appearing to come from a legitimate internal address via the smart host. Notably, because the email is routed through Microsoft’s infrastructure and appears to originate from within the tenant, it can bypass traditional email security controls.
Microsoft’s own filtering mechanisms, for example, may treat the message as internal-to-internal traffic, while third-party email security solutions often rely on sender reputation, authentication results, or external routing patterns to flag suspicious messages.
The Varonis MDDR Forensics team said it has observed multiple instances across different environments where organizations have received alerts for “abnormal behavior: Activity from stale geolocation to the organization.”
"In one case, the alert was triggered by a Ukrainian IP address, an unexpected and unusual location for the affected tenant," said Tom Barnea, a forensics specialist at Varonis.
"Typically, alerts tied to abnormal geolocation are accompanied by authentication attempts. This time, however, there were no login events, only email activity. Even more unusual, users were sending emails to themselves with PowerShell as the user agent."
How the phishing emails work
In one instance recorded by Varonis, emails were designed to resemble voicemail notifications - complete with a PDF attachment that contained a QR code redirecting users to a phishing site designed to harvest Microsoft 365 credentials.
To stay safe, Varonis recommends that organizations should enable “Reject Direct Send” in the Exchange Admin Center and implement a strict DMARC policy, for example p=reject.
They should flag unauthenticated internal emails for review or quarantine, enforce “SPF hardfail” within Exchange Online Protection (EOP) and use anti-spoofing policies.
User education is also important, as is the use of MFA and conditional access policies, in case a user’s credentials are stolen.
Similarly, organizations should enforce a static IP address in the SPF record to prevent unwanted send abuse, as recommended, but not required, by Microsoft.
"Direct Send is a powerful feature, but in the wrong hands, it becomes a dangerous attack vector," said Barnea.
"If you’re not actively monitoring spoofed internal emails or haven’t enabled the new protections, now is the time. Don’t assume internal means safe."
MORE FROM ITPRO
-
Is the aging workforce a problem or an opportunity for the channel?Industry Insights An aging workforce is reshaping the industrial landscape, creating operational challenges and growth opportunities. The solution may lie in how technology, people, and partnerships converge...
-
The pros and cons of AI coding in ITIn-depth Businesses must weigh up the benefits, challenges, and key considerations when using generative AI coding tools
-
Microsoft and Cloudflare just took down a major phishing operationNews RaccoonO365’s phishing as a service platform has risen to prominence via Telegram
-
Hackers are abusing ConnectWise ScreenConnect, againNews A new spear phishing campaign has targeted more than 900 organizations with fake invitations from platforms like Zoom and Microsoft Teams.
-
Malicious URLs overtake email attachments as the biggest malware threatNews With malware threats surging, research from Proofpoint highlights the increasing use of off-the-shelf 'phish kits' like CoGUI and Darcula
-
New hires are your weakest link when it comes to phishing attacks – here's how you can build a strong security culture that doesn't judge victims
News Research from Keepnet shows new hires are far more likely to fall for phishing attacks – here's how you can improve security awareness during onboarding processes.
-
FIN6 attackers target recruiters with fraudulent resumesNews The group's phishing methods protect it from many detection tools, researchers warn
-
100,000 accounts have been hit in a HMRC scam campaign, but the tax office says it wasn't hacked – here's whyNews Organized criminals used phished data to set up dodgy HMRC accounts and demand tax rebates
-
Employee phishing training is working – but don’t get complacent
News Educating staff on how to avoid phishing attacks can cut the rate by 80%
-
Russian hackers tried to lure diplomats with wine tasting – sound familiar? It’s an update to a previous campaign by the notorious Midnight Blizzard groupNews The Midnight Blizzard threat group has been targeting European diplomats with malicious emails offering an invite to wine tasting events, according to Check Point.
