Full Report
An ongoing phishing campaign abuses a little‑known feature in Microsoft 365 called "Direct Send" to evade detection by email security and steal credentials. [...]
Analysis Summary
# Tool/Technique: Microsoft 365 Direct Send Abuse for Phishing
## Overview
This summarizes an attack vector where threat actors leverage the legitimate Microsoft 365/Exchange Online feature known as "Direct Send" to relay phishing emails that appear to originate from internal users within an organization. This method bypasses standard external email checks, enhancing the credibility of the phishing attempt.
## Technical Details
- Type: Technique/Configuration Abuse
- Platform: Microsoft 365 / Exchange Online
- Capabilities: Enables unauthorized sending of emails that originate *internally* without passing through standard EOP checks, often used for spoofing within the organization.
- First Seen: Microsoft introduced controls (Reject Direct Send) in April 2025 (Note: The date "April 2025" appears to be a typographical error in the provided context, likely referring to a past date when the feature was introduced or controls were announced).
## MITRE ATT&CK Mapping
- **T1566 - Phishing**
- **T1566.001 - Spearphishing Attachment** (Potential vector if payload is included)
- **T1566.002 - Spearphishing Link** (Potential vector if link is included)
- **T1078 - Valid Accounts** (Implied misuse of compromised internal context or weak security allowing spoofing)
- **T1078.004 - Cloud Accounts** (Relates to the abuse of M365 credentials/features)
## Functionality
### Core Capabilities
- Bypassing typical anti-spoofing filtering applied to external emails by utilizing the Direct Send mechanism intended for internal routing.
- Achieving high sender reputation/trust by making phishing emails appear as if they originate from a known internal address.
### Advanced Features
- Exploit relies on the historical inability of Direct Send to be blocked when organizations were advised to use SPF Soft Fail configurations for routing compatibility.
## Indicators of Compromise
- File Hashes: N/A (Focus is on email configuration/methodology)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A (The process relies on legitimate M365 infrastructure, though the ultimate destination of the phishing payload is unknown.)
- Behavioral Indicators: Emails delivered internally appearing to originate from authenticated internal users via illegitimate routing paths associated with Direct Send usage.
## Associated Threat Actors
- Threat actors utilizing sophisticated social engineering techniques targeting Microsoft 365 environments. (No specific groups named in the context.)
## Detection Methods
- Signature-based detection: Not directly applicable as the sending mechanism is legitimate.
- Behavioral detection: Monitoring for anomalous or high-volume internal email generation patterns that utilize Direct Send to external or suspicious internal recipients.
- YARA rules: N/A
## Mitigation Strategies
- **Enable the "Reject Direct Send" setting:** Enforcing the 'Reject Direct Send' control within the Exchange Admin Center, which was introduced by Microsoft.
- **Implement strict DMARC policy:** Setting DMARC policy to `p=reject`.
- **Flag Unauthenticated Internal Messages:** Configure systems to review or quarantine internal messages that fail SPF or DMARC checks, even if they appear internal.
- **Enforce SPF Hardfail:** Configure SPF strictly within Exchange Online Protection (EOP).
- **Enable Anti-Spoofing Policies:** Ensure native M365 anti-spoofing protections are active.
- **Employee Training:** Train users specifically on recognizing QR code phishing attempts and scrutinizing internal emails that look suspicious.
## Related Tools/Techniques
- Email Spoofing techniques.
- Abuse of legitimate cloud service features for malicious purposes.