Threat Actors Abuse Microsoft 365 Direct Send in Phishing Campaigns

Over the last several months, security researchers have observed threat actors targeting Microsoft 365 (M365) accounts in phishing campaigns that bypass security controls. The technique allows threat actors to spoof internal M365 users and deliver emails using Microsoft Exchange Online’s Direct Send function. Direct Send lacks proper authentication and is easily exploitable, making it a desirable tactic for threat actors. Microsoft allows emails to be sent using Direct Send by default if the emails are sent from the organization’s accepted domain.

Microsoft 365 administrators can implement “Reject Direct Send” to block unauthenticated Direct Send traffic at the tenant level. Direct Send may also be disabled using PowerShell. In addition to disabling Direct Send, the NJCCIC recommends following Microsoft’s Email Security Best Practices for M365, including identifying SPF/DKIM/DMARC failures, use authenticated SMTP client submissions or SMTP relay with specific IP restrictions, implement strict DMARC policies, configure SPF to hardfail, and enforce MFA for M365 accounts.

For additional information and guidance, review the Varonis blog post.