Security experts have warned of a new phishing campaign which exploits Microsoft’s 365’s Direct Send feature to steal credentials – and they’ve already hit more than 70 organizations.
Direct Send is a feature in Exchange Online that allows devices and applications to send emails within a Microsoft 365 tenant. It uses a smart host with a format like "tenantname.mail.protection.outlook.com".
Intended for internal use only, the feature doesn't require authentication, meaning that attackers don’t need credentials, tokens, or access to the tenant, just a few publicly available details.
According to researchers at Varonis, attackers have been taking advantage of this since May to spoof internal users and deliver phishing emails without ever needing to compromise an account.
The victims span multiple verticals and locations, but are mainly US-based organizations.
The attacker used PowerShell to send emails appearing to come from a legitimate internal address via the smart host. Notably, because the email is routed through Microsoft’s infrastructure and appears to originate from within the tenant, it can bypass traditional email security controls.
Microsoft’s own filtering mechanisms, for example, may treat the message as internal-to-internal traffic, while third-party email security solutions often rely on sender reputation, authentication results, or external routing patterns to flag suspicious messages.
The Varonis MDDR Forensics team said it has observed multiple instances across different environments where organizations have received alerts for “abnormal behavior: Activity from stale geolocation to the organization.”
"In one case, the alert was triggered by a Ukrainian IP address, an unexpected and unusual location for the affected tenant," said Tom Barnea, a forensics specialist at Varonis.
"Typically, alerts tied to abnormal geolocation are accompanied by authentication attempts. This time, however, there were no login events, only email activity. Even more unusual, users were sending emails to themselves with PowerShell as the user agent."
How the phishing emails work
In one instance recorded by Varonis, emails were designed to resemble voicemail notifications - complete with a PDF attachment that contained a QR code redirecting users to a phishing site designed to harvest Microsoft 365 credentials.
To stay safe, Varonis recommends that organizations should enable “Reject Direct Send” in the Exchange Admin Center and implement a strict DMARC policy, for example p=reject.
They should flag unauthenticated internal emails for review or quarantine, enforce “SPF hardfail” within Exchange Online Protection (EOP) and use anti-spoofing policies.
User education is also important, as is the use of MFA and conditional access policies, in case a user’s credentials are stolen.
Similarly, organizations should enforce a static IP address in the SPF record to prevent unwanted send abuse, as recommended, but not required, by Microsoft.
"Direct Send is a powerful feature, but in the wrong hands, it becomes a dangerous attack vector," said Barnea.
"If you’re not actively monitoring spoofed internal emails or haven’t enabled the new protections, now is the time. Don’t assume internal means safe."
MORE FROM ITPRO
-
Plans announced to resurrect former steelworks as a ‘green’ data centerNews Plans have been put forward to transform the former Ravenscraig steelworks in Scotland into a green AI data center.
-
Most agentic AI tools are just ‘repackaged’ RPA and chatbotsNews Agentic AI might be the latest industry trend, but new research suggests the majority of tools are simply repackaged AI assistants and chatbots.
-
FIN6 attackers target recruiters with fraudulent resumesNews The group's phishing methods protect it from many detection tools, researchers warn
-
100,000 accounts have been hit in a HMRC scam campaign, but the tax office says it wasn't hacked – here's whyNews Organized criminals used phished data to set up dodgy HMRC accounts and demand tax rebates
-
Employee phishing training is working – but don’t get complacentNews Educating staff on how to avoid phishing attacks can cut the rate by 80%
-
Russian hackers tried to lure diplomats with wine tasting – sound familiar? It’s an update to a previous campaign by the notorious Midnight Blizzard groupNews The Midnight Blizzard threat group has been targeting European diplomats with malicious emails offering an invite to wine tasting events, according to Check Point.
-
This hacker group is posing as IT helpdesk workers to target enterprises – and researchers warn its social engineering techniques are exceptionally hard to spotNews The Luna Moth hacker group is ramping up attacks on firms across a range of industries with its 'callback phishing' campaign, according to security researchers.
-
Healthcare organizations are turning a blind eye to phishing attacks
News A survey reveals that most attacks go unreported, putting patient data at risk
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackersNews Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Have I Been Pwned owner Troy Hunt’s mailing list compromised in phishing attackTroy Hunt, the security blogger behind data-breach site Have I Been Pwned, has fallen victim to a phishing attack targeting his email subscriber list.
