Key Points
- Threat actors are actively exploiting Microsoft 365's Direct Send feature to deliver phishing emails
- The technique effectively circumvents perimeter security solutions by routing malicious emails through Microsoft 365's trusted infrastructure
- Requires no credentials or tokens, only knowledge of the target domain and valid recipient addresses
- This represents a critical gap in email security defenses by bypassing external security filters that scan inbound mail from external sources
Overview
Mimecast threat research team continues to observe malicious email campaigns exploiting Microsoft 365's Direct Send functionality. This attack vector allows threat actors to send emails that appear to come from internal users without requiring authentication or account compromise. The technique has gained traction as it effectively bypasses perimeter security solutions and leverages the inherent trust users place in internal communications. This emerging threat represents a critical gap in email security defenses for organizations using Microsoft 365.
Attack Methodology
Direct Send is a legitimate Microsoft 365 feature designed to allow devices, applications, and third-party services to send emails directly to users' mailboxes without authentication. Attackers exploit this functionality by connecting to Microsoft 365's SMTP endpoint and sending emails that spoof internal senders. The attack process involves three key steps:
- Attackers identify valid organizational domains and recipient email addresses through reconnaissance.
- Emails are crafted to impersonate trusted internal users or departments, often mimicking common business communications like IT notifications or HR announcements.
- These spoofed emails are delivered directly through Microsoft 365's infrastructure, where they appear as internally routed messages.
Unlike traditional email spoofing, Direct Send abuse requires no authentication credentials, username, password, or token. Attackers only need knowledge of the target organization's domain and valid recipient addresses. This technique is particularly effective because the emails traverse Microsoft 365's trusted infrastructure, making them appear legitimate to both security systems and end users. The lack of authentication requirements means attackers can impersonate any internal user without needing to compromise legitimate accounts.
Campaign Information
Organizations face significant exposure to credential theft, business email compromise, and malware delivery through this attack vector. The implicit trust associated with internal communications increases the likelihood of successful user interaction with malicious content.
Recent campaigns have demonstrated the effectiveness of this technique, with threat actors successfully harvesting credentials and establishing footholds for lateral movement within targeted environments. The abuse of Direct Send has been particularly successful with organizations that rely heavily on email communications for business operations.
Although direct send abuse emails do not traverse Mimecast, recent campaigns observed contain PDF, DOCX attachments with QR Codes or heavily obfuscated HTML attachments all leading to credential harvesting phishing pages.
Please click here to read the entire article.
We welcome your questions; please ask them by posting a comment below.
Dimakatso Makinta
