Exploiting Direct Send: Attackers Abuse Microsoft 365 to Deliver Internal Phishing Attacks
Summary:
Threat actors are actively exploiting Microsoft 365’s Direct Send feature to deliver phishing emails that appear to originate from within an organization. This method leverages the feature, intended for unauthenticated internal relays from devices like printers, to inject spoofed messages that appear to come from internally, allowing the adversary to send malicious payloads to 365 users. The attackers use unsecured third-party email security appliances as SMTP relays and virtual private servers for message injection into Microsoft 365 tenants. Despite being flagged by Microsoft’s composite authentication checks, these malicious emails are often delivered to a user's junk folder, bypassing built-in defenses. The phishing lures are highly effective and business-themed, focusing on pretexts such as task reminders and wire authorizations.
Security Officer Comments:
The exploitation of Microsoft 365's Direct Send is a notable threat vector because it weaponizes a legitimate feature to bypass sender verification controls. Attackers are effectively using this to send unauthenticated emails with the credibility of an internal sender. The delivery to the junk folder, despite authentication failures, highlights a gap in security. This method is part of a broader trend where attackers abuse trusted cloud services, making it crucial for organizations to address Direct Send abuse by reassessing their email authentication policies and configurations. Organizations should regard Direct Send as a risk vector and develop policies accordingly.
Suggested Corrections:
IOCs are available here.
https://www.proofpoint.com/uk/blog/email-and-cloud-threats/attackers-abuse-m365-for-internal-phishing
Threat actors are actively exploiting Microsoft 365’s Direct Send feature to deliver phishing emails that appear to originate from within an organization. This method leverages the feature, intended for unauthenticated internal relays from devices like printers, to inject spoofed messages that appear to come from internally, allowing the adversary to send malicious payloads to 365 users. The attackers use unsecured third-party email security appliances as SMTP relays and virtual private servers for message injection into Microsoft 365 tenants. Despite being flagged by Microsoft’s composite authentication checks, these malicious emails are often delivered to a user's junk folder, bypassing built-in defenses. The phishing lures are highly effective and business-themed, focusing on pretexts such as task reminders and wire authorizations.
Security Officer Comments:
The exploitation of Microsoft 365's Direct Send is a notable threat vector because it weaponizes a legitimate feature to bypass sender verification controls. Attackers are effectively using this to send unauthenticated emails with the credibility of an internal sender. The delivery to the junk folder, despite authentication failures, highlights a gap in security. This method is part of a broader trend where attackers abuse trusted cloud services, making it crucial for organizations to address Direct Send abuse by reassessing their email authentication policies and configurations. Organizations should regard Direct Send as a risk vector and develop policies accordingly.
Suggested Corrections:
IOCs are available here.
- Determine if your organization is actively using Direct Send; if appropriate, enable “Reject Direct Send” via PowerShell: Set-OrganizationConfig -RejectDirectSend $true
- Audit mail flow rules for accepted unauthenticated relay IPs; monitor message headers for spoofing attempts that are flagged by Microsoft with compauth=fail
- Enforce email authentication (SPF, DKIM, DMARC) with strict DMARC reject and SPF hard fail policies, where possible, by partnering with a trusted service to ensure deliverability of legitimate email
- Use advanced email security solutions to bolster Microsoft’s native protections
https://www.proofpoint.com/uk/blog/email-and-cloud-threats/attackers-abuse-m365-for-internal-phishing