New Microsoft 365 Phishing Tactic Bypasses Email Security Using “Direct Send”

Here’s what business leaders need to know—and what to do about it

A newly identified phishing technique is making it easier than ever for attackers to trick employees, even without hacking into accounts.

This campaign exploits a legitimate Microsoft 365 feature called Direct Send, enabling cybercriminals to deliver internal-looking emails that bypass common email protections and appear completely legitimate.

At CIO Landing, we believe awareness is one of the strongest tools in cybersecurity. That’s why we’re breaking this down clearly—no jargon, no fear tactics—just what you need to know to protect your team.

What is Direct Send?

Direct Send is a built-in Microsoft 365 feature designed for internal devices like scanners and copiers. It lets these devices send email through Microsoft’s infrastructure without requiring authentication.

These messages are sent via tenant-specific Microsoft servers (like yourcompany.mail.protection.outlook.com) and were originally intended for simple, internal communication.

The problem? That same convenience can be exploited. With basic public information about your domain and email structure, attackers can send fake “internal” emails that look completely trustworthy, without ever breaching your systems.

How Are Attackers Exploiting It?

Since May 2025, threat actors have been abusing Direct Send to deliver phishing emails that:

• Appear internal (e.g., “[email protected]” or “[email protected]”)

• Bypass authentication checks (SPF, DKIM, DMARC)

• Route through Microsoft’s infrastructure, giving them an undeserved stamp of trust

• Contain malicious PDF attachments or QR codes (a technique known as quishing) that lead to fake login pages designed to steal passwords

Worse, no credentials or account takeovers are needed—just publicly available information and simple scripts.

Why This Matters to Your Business

• Emails look real and often mimic internal notifications

• They pass email checks, making them hard to block without additional safeguards

• They’re difficult to detect, especially without advanced monitoring

• They exploit user trust in Microsoft infrastructure

This makes it a high-risk vector for credential theft, data compromise, and business disruption—especially for organizations that rely solely on Microsoft 365’s built-in protections.

What You Can Do

There are several steps your IT team—or a trusted partner like CIO Landing—can take to reduce risk:

✅ Check if Direct Send is Enabled

This is the key first step. Most organizations don’t need it. Ask your IT team to:

• Identify whether Direct Send is currently active

• Evaluate if any devices (like printers) actually require it

• Disable it if not essential

Not sure? We can check for you.

✅ Route Internal Messages Through Security Tools

Ensure all email—including messages that look internal—passes through a security gateway or other advanced email tools.

✅ Monitor for Anomalies

Use tools that can flag unusual activity like:

• Internal email addresses used from external IPs

• Logins or mail flows from unexpected geographies

• Spikes in Direct Send usage

✅ Educate Your Team

Phishing isn’t always obvious anymore. Train employees to recognize:

• Suspicious PDFs or QR codes

• Unexpected login prompts

• Subtle differences in sender addresses

✅ Use Multi-Factor Authentication (MFA) Everywhere

Even if credentials are stolen, MFA makes it much harder for attackers to gain access.

Final Thoughts

This type of attack highlights how even helpful features—like Direct Send—can become blind spots in your cybersecurity strategy.

At CIO Landing, we help clients:

• Evaluate Microsoft 365 configurations

• Strengthen email authentication policies

• Educate staff with real-world phishing simulations

• Monitor for abnormal activity before it becomes a threat

If you’re unsure whether Direct Send is enabled now’s the time to take action.

Need help evaluating your Microsoft 365 security?
We’re here to support you. A quick review could save you from a costly breach.