Ongoing Campaign Abuses Microsoft 365's Direct Send to Deliver Phishing Emails
Summary:
A sophisticated phishing campaign, active since May 2025, is exploiting a little-known and inherently risky Microsoft 365 feature called "Direct Send" to bypass traditional email security controls and steal credentials. This feature, intended for unauthenticated internal device communications, allows external threat actors to send internal-looking emails through a target organization's smart host. By leveraging Direct Send, attackers are circumventing crucial authentication protocols like SPF, DKIM, and DMARC, making their malicious emails appear legitimate despite originating from external and often suspicious IP addresses. The campaign, predominantly targeting over 70 U.S. organizations across financial services, manufacturing, construction, engineering, healthcare, and insurance sectors, utilizes PowerShell to deliver fake voicemail or fax notifications. Over 95% of victims are based in the United States. Unusually, these phishing attempts rely on QR codes embedded in company-branded PDF attachments so the user scans the QR code to listen to the fake voicemail, redirecting victims to convincing fake Microsoft login pages to harvest credentials.
Security Officer Comments:
This ongoing phishing campaign highlights a critical vulnerability stemming from the misconfiguration of a legitimate, albeit exploitable, Microsoft 365 feature. The attackers' ingenuity in weaponizing "Direct Send" to bypass standard email authentication mechanisms (SPF, DKIM, DMARC) is particularly notable, as it renders traditional perimeter defenses less effective. The pivot to QR code-based phishing within PDF attachments further complicates detection, as it circumvents typical URL-scanning and link-analysis tools employed by email security gateways by using multiple layers of social engineering for the lure. The broad targeting across critical sectors, especially financial services and healthcare, underscores the potential for significant data breaches and operational disruption that affects millions. Organizations, especially those identified as common targets, are recommended to immediately review their Microsoft 365 Direct Send configurations, ideally disabling the feature if not absolutely essential. Additionally, user awareness training must be updated to specifically address QR code phishing and the deceptive nature of seemingly internal, unauthenticated communications. The observed use of Ukrainian IP addresses and the ability to bypass multiple security checks through an organization's own smart host are strong indicators of a highly organized and technically proficient adversary.
Suggested Corrections:
IOCs are available here.
Varonis Recommendations:
https://www.varonis.com/blog/direct-send-exploit
A sophisticated phishing campaign, active since May 2025, is exploiting a little-known and inherently risky Microsoft 365 feature called "Direct Send" to bypass traditional email security controls and steal credentials. This feature, intended for unauthenticated internal device communications, allows external threat actors to send internal-looking emails through a target organization's smart host. By leveraging Direct Send, attackers are circumventing crucial authentication protocols like SPF, DKIM, and DMARC, making their malicious emails appear legitimate despite originating from external and often suspicious IP addresses. The campaign, predominantly targeting over 70 U.S. organizations across financial services, manufacturing, construction, engineering, healthcare, and insurance sectors, utilizes PowerShell to deliver fake voicemail or fax notifications. Over 95% of victims are based in the United States. Unusually, these phishing attempts rely on QR codes embedded in company-branded PDF attachments so the user scans the QR code to listen to the fake voicemail, redirecting victims to convincing fake Microsoft login pages to harvest credentials.
Security Officer Comments:
This ongoing phishing campaign highlights a critical vulnerability stemming from the misconfiguration of a legitimate, albeit exploitable, Microsoft 365 feature. The attackers' ingenuity in weaponizing "Direct Send" to bypass standard email authentication mechanisms (SPF, DKIM, DMARC) is particularly notable, as it renders traditional perimeter defenses less effective. The pivot to QR code-based phishing within PDF attachments further complicates detection, as it circumvents typical URL-scanning and link-analysis tools employed by email security gateways by using multiple layers of social engineering for the lure. The broad targeting across critical sectors, especially financial services and healthcare, underscores the potential for significant data breaches and operational disruption that affects millions. Organizations, especially those identified as common targets, are recommended to immediately review their Microsoft 365 Direct Send configurations, ideally disabling the feature if not absolutely essential. Additionally, user awareness training must be updated to specifically address QR code phishing and the deceptive nature of seemingly internal, unauthenticated communications. The observed use of Ukrainian IP addresses and the ability to bypass multiple security checks through an organization's own smart host are strong indicators of a highly organized and technically proficient adversary.
Suggested Corrections:
IOCs are available here.
Varonis Recommendations:
- Enable “Reject Direct Send” in the Exchange Admin Center.
- Implement a strict DMARC policy (e.g., p=reject).
- Flag unauthenticated internal emails for review or quarantine.
- Enforcing “SPF hardfail” within Exchange Online Protection (EOP).
- Use Anti-Spoofing policies.
- Educate users on the risks associated with QR code attachments (Quishing attacks).
- It’s always recommended to enforce MFA on all users and have Conditional Access Policies in place, in case a user’s credentials are stolen.
- Enforce a static IP address in the SPF record to prevent unwanted send abuse — this is recommended by Microsoft but not required
https://www.varonis.com/blog/direct-send-exploit