Overview
Over the past few weeks, our Incident Response and SOC teams have detected a widespread phishing campaign targeting primarily U.S.-based organizations, including those in the financial services, healthcare, insurance, construction, manufacturing, and engineering sectors. The campaign leverages Microsoft 365’s Direct Send feature—a legitimate functionality typically used by printers, scanners, or internal applications to send emails without authentication—to spoof internal addresses and bypass standard email protections.
Why It’s So Dangerous
- No credentials needed – attackers can send messages that appear to originate from a trusted internal source without compromising any account.
- Passes internal routing rules – because emails route via
tenantname.mail.protection.outlook.com, filters like SPF, DKIM, and DMARC checks are bypassed, and Microsoft or third-party gateways often treat them as internal mail. - Simple tools, serious impact — all that’s needed is the target’s domain and a guessed or scraped email format (e.g., first.last@company.com) along with a PowerShell script like:
Send-MailMessage -SmtpServer company‑com.mail.protection.outlook.com -To joe@company.com -From joe@company.com -Subject "New Missed Fax‑msg" …
Attack Tactics & Phish Strategy
- Lure via voicemail/fax themes: Subjects include “New Missed Fax‑msg” or “Caller Left VM Message.”
- Quishing payload: PDF attachments branded with the company logo embed a QR code, prompting users to scan and redirect to counterfeit Microsoft login pages for credential theft.
- Evasion signals: Emails originate from external or unusual IPs (e.g., Ukraine-based 139.28.X.X), users emailing themselves via PowerShell, and mismatched or absent SPF/DKIM/DMARC headers, yet still delivered internally.
Mitigations & Remediations
1. Disable or Restrict Direct Send
If Direct Send is not essential, disable it entirely using PowerShell:
Connect‑ExchangeOnline
Set‑OrganizationConfig ‑RejectDirectSend $true
Get‑OrganizationConfig | Select‑Object RejectDirectSend
This blocks unauthenticated email submissions through Direct Send altogether.
If it’s required for devices, restrict traffic to specific IP addresses or connectors using authenticated SMTP submission instead of unauthenticated Direct Send.
2. Strengthen Email Authentication Policies
- Implement SPF with hard‑fail (
-all) to reject unauthorised sources. - Enforce a strict DMARC policy (
p=reject) to block or quarantine spoofed messages. - Enable DKIM signatures wherever possible.
3. Activate Anti‑Spoofing and Layered Filtering
- Flag or quarantine internal-looking emails that fail authentication, especially those spoofing internal recipients.
- Apply Anti-Spoofing policies and ensure that all inbound mail—regardless of apparent source—passes through your email security gateway or EOP filters.
4. Improve Monitoring and Detection
Build detection rules and SIEM alerts for:
- Messages sent to the same user as the sender.
- Use of PowerShell or command-line user agents.
- Emails delivered through smart hosts from external or anomalous IP ranges, especially foreign geolocations without login events.
- Mismatched tenant IDs in headers, SPF/DKIM/DMARC failures for internal addresses.
Also, review logs for smart host access and alert on unusual behavior, like internal emulation from unknown IPs or scripting tools.
5. Employee Awareness & QR‑Code Phishing Education
- Train staff to question PDF attachments that ask for QR scanning, especially if they reference voicemails or faxes.
- Encourage employees to verify internal-looking emails before scanning codes or clicking links.
6. Enforce MFA & Conditional Access
Require Multi-Factor Authentication for all accounts and use Conditional Access policies to limit sign‑in risk, reducing impact if credentials are phished.
Summary Table
| Threat Vector | Description | Recommended Action |
|---|---|---|
| Direct Send abuse | Unauthenticated mail sent via tenant smart host looks internal | Disable Direct Send or restrict it |
| Quishing PDFs | QR-code-laced PDFs redirect to fake login pages | Train employees; treat QR codes with caution |
| Authentication bypass | Unauthenticated mail sent via the tenant smart host looks internal | Enforce strict email authentication policies |
| Spoofed From: internal | No credential compromise needed to spoof | Monitor headers, behavior logs; flag anomalies |
| External IP traffic | Foreign IPs send mail disguised as internal | Alert on geo-anomaly activity |
Final Thoughts
This emerging campaign underscores a critical blind spot: internal-looking messages should not be trusted by default. Direct Send—designed for convenience—can become a lightning rod for credential theft if not properly overseen. Organizations must assume zero trust even within Microsoft 365 by disabling unnecessary features, hardening authentication, and improving behavioral monitoring.
At SOClogix, we help organizations secure their Microsoft 365 environments by identifying configuration gaps like exposed Direct Send pathways, implementing robust email authentication protocols, and deploying advanced phishing detection and response strategies. Our team specializes in proactive threat hunting, secure email architecture, and continuous user awareness training, ensuring that your business stays ahead of evolving phishing tactics. Let SOClogix be your partner in fortifying trust, one email at a time. Contact us today!
