An ongoing phishing campaign abuses a little‑known feature in Microsoft 365 called “Direct Send” to evade detection by email security and steal credentials.
Direct Send is a Microsoft 365 feature that allows on‑premises devices, applications, or cloud services to send emails through a tenant’s smart host as if they originated from the organization’s domain. It’s designed for use by printers, scanners, and other devices that need to send messages on behalf of the company.
However, the feature is a known security risk, as it doesn’t require any authentication, allowing remote users to send internal‑looking emails from the company’s domain.
Microsoft recommends that only advanced customers utilize the feature, as its safety depends on whether Microsoft 365 is configured correctly and the smart host is properly locked down..
“We recommend Direct Send only for advanced customers willing to take on the responsibilities of email server admins,” explains Microsoft.
“You need to be familiar with setting up and following best practices for sending email over the internet. When correctly configured and managed, Direct Send is a secure and viable option. But customers run the risk of misconfiguration that disrupts mail flow or threatens the security of their communication.”
The company has shared ways to disable the feature, which are explained later in the article, and says they are working on a way to deprecate the feature.
Direct Send abused in a phishing campaign
The phishing campaign was discovered by the Varonis Managed Data Detection and Response (MDDR) team, who told BleepingComputer that it is targeting more than 70 organizations across all industries, with 95% of the victims based in the United States.
Varonis says the campaign started in May 2025, with over 95% of the targeted companies based in the United States.
“Victims occupy a wide variety of business verticals but over 90% of identified targets operate within the Financial Services, Construction, Engineering, Manufacturing, Healthcare, and Insurance space,” Joseph Avanzato, Security Operations and Forensics Group Leader, told BleepingComputer.
“Financial Services were the most common target followed by Manufacturing, Construction/Engineering and Healthcare/Insurance.”
The Varonis report explains that the attacks are delivered via PowerShell using a targeted company’s smart host (company-com.mail.protection.outlook.com), making it possible for an attacker to send…
Click Here to Read the Full Original Article at BleepingComputer…