Threat actors are now abusing a legitimate feature of Microsoft 365 known as Direct Send phishing to deliver fraudulent emails that appear to come from internal users. This attack method bypasses traditional email defenses by exploiting a trusted mail flow configuration, making it especially dangerous in enterprise environments. In this article, we break down how this attack works, what makes it effective, and how to defend against it using Microsoft best practices and layered security controls.

Understanding Direct Send in Microsoft 365

Microsoft 365 offers three ways to send mail from devices and applications: SMTP AUTH client submission, Microsoft 365 or Office 365 SMTP relay, and Direct Send. The Direct Send method allows email to be transmitted from an application or device (like a printer, scanner, or third-party app) directly to Microsoft 365 without authentication, as long as the IP is allowed and the domain is valid. According to Microsoft, this method supports internal email routing without needing user credentials. You can read more in their official documentation here.

How Attackers Are Exploiting Direct Send

By impersonating legitimate applications and spoofing trusted IPs, attackers can send phishing emails through Direct Send that appear to come from verified internal addresses. These emails often bypass SPF, DKIM, and DMARC checks because they technically originate from within the organization’s domain and IP allowances.

This tactic gives attackers a powerful advantage: the messages don’t look suspicious to email security filters or to users. Targets are more likely to engage with a message if it appears to come from a known colleague or internal system—especially when the content mimics invoice alerts, password change requests, or file-sharing notifications.

Why This Threat Is So Effective

Unlike typical phishing campaigns that rely on misspelled sender names or domain lookalikes, Direct Send phishing creates emails that pass as entirely legitimate in both metadata and presentation. That means:

• The sender appears internal and familiar
• Email filters may not flag the message as suspicious
• End users are less likely to report the message
• Security logs may not show obvious red flags

This creates a perfect storm of risk: high trust, low detection, and quick impact.

Recommended Mitigations and Best Practices

To protect against this type of abuse, organizations should follow Microsoft’s updated guidance on Direct Send configuration, outlined in their official documentation here.

Microsoft emphasizes several key safeguards:

• Restrict the accepted IP addresses in the mail flow rule to only known and documented devices.
• Disable Direct Send unless it’s absolutely necessary for business functions.
• Use SMTP authentication with strong credentials and MFA whenever possible instead of unauthenticated Direct Send.
• Monitor email headers and audit logs for unexpected traffic from non-mailbox sources.

Additionally, your organization should conduct regular phishing simulations to educate users on identifying unusual requests—even when they appear internal.

How Cost+ Helps Secure Your Microsoft 365 Environment

At Cost+, we proactively defend Microsoft 365 environments through a combination of prevention, monitoring, and response services. Our Security+ offering includes email threat detection, 24/7 monitoring, and hardening of misconfigured or vulnerable Microsoft 365 settings. We also assist with:

• Configuring secure mail flow and anti-spoofing policies
• Disabling unused protocols and reducing attack surface
• Alerting on abnormal internal email behavior

For organizations that rely heavily on application-based email—such as CRMs, scanners, or cloud apps—we provide auditing and remediation through our Support+ team to ensure your Direct Send configuration doesn’t become an open door for attackers.

Next Steps for Security and IT Teams

If your organization uses Direct Send—or isn’t sure how it’s configured—it’s critical to perform an immediate review. Start by inventorying every device or application that’s allowed to send mail using this method. Then verify:

• Each sending IP is expected and documented
• No new mail flow rules have been added or modified unexpectedly
• End user reports of “weird” internal messages are followed up with proper investigation

You should also configure alerts for any unusual spikes in email volume from IPs tied to Direct Send or apps using SMTP relay. These patterns often precede broader phishing campaigns.

Final Thoughts

Direct Send phishing is a reminder that even legitimate tools can become threat vectors when not properly governed. Microsoft’s built-in mail delivery flexibility helps businesses function efficiently—but it also creates opportunities for abuse if not configured securely.

By following Microsoft’s published best practices and layering your security defenses, you can reduce risk while preserving business continuity. Cost+ is here to help you close these gaps before they become exploited entry points.

Get in touch with us to schedule a review of your Microsoft 365 security posture—including Direct Send risk assessments and remediation planning.

By Thomas McDonald
Vice President

Business Email Compromise (BEC) is one of the most syndicate-driven cyber threats facing organizations today—and it’s growing more sophisticated than ever. Modern business email compromise schemes often use compromised email accounts, deepfake AI tools, or domain spoofing to trick employees into approving fraudulent payments.

How BEC Has Evolved

Earlier BEC scams relied on spoofed domains or fake invoices. Today, attackers often hijack real email accounts or use AI-generated mimicry to craft convincing messages. According to the FBI, more than $26 billion has been lost to BEC scams in recent years, including incidents where large firms fell victim to fake invoice fraud.

Common Modern BEC Scenarios

• CEO or executive impersonation: Attackers send urgent payment requests appearing to come from a trusted executive.
• Account takeover: Hackers gain access to a legitimate business email account and send fraudulent requests from it.
• Vendor invoice fraud: Fake invoice emails mimic real vendors and arrive just before payment cycles to avoid scrutiny.
• AI-enhanced impersonation: Deepfake voices or synthetic emails make spoofed communication even harder to detect.

Red Flags to Watch For

• Urgent or secretive tone
• Requests outside normal payment processes
• Slightly altered domain names or unfamiliar email addresses
• Instructions to change banking information or bypass verification

How to Protect Your Business

1. Verify Via a Second Channel

Always confirm payment requests using an independent method—such as a direct phone call—not via the same email thread. This simple step can stop most fraud attempts.

2. Enable Email Authentication

Implement SPF, DKIM, and DMARC email protocols. These protect your domain from being spoofed and help email recipients trust your communications. Learn more about DMARC from CISA.gov.

3. Enforce MFA and Role-Based Access

Multi-factor authentication (MFA) prevents attackers from logging into email accounts even if they’ve obtained a password. Combine this with least-privilege access policies to limit who can approve payments.

4. Train Employees on BEC Awareness

Provide practical training on how to spot suspicious emails, spoofed domains, and signs of social engineering. Simulated attacks and phishing tests improve awareness across departments.

5. Use Dual Authorization for Payments

For larger transactions, require at least two people to approve before payment is released. This makes it harder for one compromised account to result in financial loss.

6. Deploy Threat Detection Tools

Secure email gateways and threat detection tools can catch impersonation attempts, monitor for abnormal behavior, and block messages from known malicious IPs or domains. Consider a solution that includes anomaly detection and adaptive controls.

Where Cost+ Comes In

Our Security+ service helps organizations prevent business email compromise with layered protection, DMARC enforcement, staff training, and payment workflow consulting.

Bottom Line

Today’s business email compromise threats go far beyond basic phishing. Attackers are well-organized, use advanced impersonation tactics, and exploit trust in your vendors and executives. With the right training, technology, and financial safeguards, you can reduce your exposure and avoid costly mistakes.

By Thomas McDonald
Vice President

Israel Iran cybersecurity risks: The recent military strikes between Israel and Iran have escalated rapidly, and while the headlines focus on missiles and drones, the digital fallout is already underway. The cybersecurity risks from Middle East conflicts are mounting, and businesses around the world—especially in the U.S.—should take this moment seriously. State-backed cyber actors are increasingly targeting infrastructure, financial systems, and software supply chains in retaliation or as opportunistic moves during global instability.

In the 48 hours following Israel’s June 2025 airstrikes on Iranian targets, cybersecurity researchers observed a major surge in offensive cyber operations. Iranian-linked groups such as APT34 (also known as OilRig) and Charming Kitten are among the most active, leveraging phishing, malware, and intrusion campaigns to exploit the situation. While Israeli entities are the primary targets, the nature of global digital infrastructure means many attacks may spill over into unrelated regions and industries.

This hybrid warfare approach is not new—but it’s evolving. As geopolitical crises intensify, businesses thousands of miles away can be caught off guard by data theft, ransomware, or availability attacks that trace back to nation-state tensions.

Why Your Business Should Be Paying Attention

Cyberattacks tied to state conflict are rarely contained. Hackers often deploy malware that spreads across networks and cloud platforms, intentionally or not. Phishing emails that reference energy disruptions or geopolitical news can bypass basic filters and trick employees into downloading malware or disclosing credentials.

Companies relying on remote access systems, third-party vendors, or cloud infrastructure may already be exposed. These dependencies make it difficult to identify the origin of risk—and even harder to defend against it without a strong, up-to-date cybersecurity framework.

Six Steps to Strengthen Threat Readiness

1. Monitor emerging threat actors: Track global intelligence feeds focused on Iranian APT groups. Ensure your security team can detect known IoCs (indicators of compromise).

2. Harden email security: Configure spam filters to catch region-specific phishing attempts and deploy phishing simulations internally to improve user awareness.

3. Review remote access protocols: Enforce MFA on all remote entry points and remove unused accounts with elevated permissions.

4. Confirm supply chain resilience: Reach out to vendors—especially those in logistics, healthcare, finance, or SaaS—and ensure their cybersecurity programs are current and verified.

5. Test your backups and recovery plans: Confirm you have offline, immutable backups that are tested regularly and easily restorable in case of attack.

6. Run a tabletop exercise: Walk through a cyberattack scenario based on this conflict with your leadership team. Identify gaps and assign action items now—before a real-world breach occurs.

How Cost+ Helps Companies Stay Ahead of Geopolitical Threats

At Cost+, we stay on top of international threat activity and translate it into local, actionable risk management strategies. Our Security+ team provides 24/7 monitoring, email threat detection, vulnerability scanning, and rapid response planning. Our Cloud+ and Recovery+ services ensure your systems stay secure, recoverable, and resilient—no matter what’s happening on the world stage.

We also help companies review vendor relationships, validate existing controls, and design customized response plans aligned with real-time global threats. The Cost+ approach is simple: stay proactive, stay secure, and avoid the costly surprises that come from ignoring warning signs.

Get a Free Cybersecurity Checkup

Whether you’re unsure where your vulnerabilities are or want to confirm that your systems are ready for whatever comes next, we can help. Our team will conduct a thorough review and deliver straightforward recommendations—without pressure or long-term commitments.

Schedule your free security check today or call 800.840.9690 to speak directly with a cybersecurity expert at Cost+.

Sources

• Reuters – Oil Prices Rise Amid Israel-Iran Conflict
• Reuters – Gulf Markets Tumble as Conflict Escalates
• Associated Press – Retail Cyberattacks On the Rise
• Economic Times – Israel Targets Iranian Energy Infrastructure

By Thomas McDonald
Vice President

Qualcomm chip exploits and patch guidance are critical to stay current with—especially after multiple zero‑day vulnerabilities were disclosed in Q2 2025. With millions of mobile endpoints relying on Qualcomm chipsets, IT leaders must act swiftly to assess device exposure, apply vendor patches, and mitigate active exploitation risk.

Why This Matters Now

In May 2025, Qualcomm issued an urgent security bulletin addressing several CVEs in Snapdragon and other chip families (qualcomm chip exploits and patch guidance). These zero‑day flaws could enable remote code execution or privilege escalation—threats that have been confirmed as actively exploited in the wild by threat intelligence platforms and CERT alerts. While the issue made headlines in consumer circles, the implications for enterprise IT are equally serious.

What Your Security Team Should Do

Here’s a focused action plan for security and device management teams:

1. Inventory affected devices: Identify all company-owned and BYOD endpoints using Qualcomm chips. Check device models against the list below.
2. Prioritize patching: Immediately apply vendor firmware or OS updates. For older or unmanaged devices, enforce temporary deactivation from sensitive networks.
3. Segment networks: Create isolated VLANs or apply zero‑trust access for IoT and mobile endpoints.
4. Deploy advanced monitoring: Use endpoint detection and response (EDR) solutions capable of spotting abnormal process behavior.
5. Schedule recurring reviews: Reassess patch compliance weekly and conduct vulnerability scans focusing on chip-level weaknesses.

Affected Chipsets and Patch Status

Source: Qualcomm Security Bulletin

How Attackers Exploit These Flaws

The vulnerabilities allow attackers to run malicious code directly on the chipset—below the operating system level—making traditional antivirus solutions ineffective. Once exploited, malware can remain stealthy, bypass sandboxing, and persist even through OS updates. In enterprise settings, this may compromise corporate email, encryption keys, and sensitive client data.

Why This Is a Game-Changer

The chip-level nature of these vulnerabilities means that endpoint security must evolve. Merely installing OS updates is no longer sufficient. Security strategies must expand to include firmware-hardened EDR, rigorous patch orchestration for endpoint devices, and stricter network segmentation.

Action Checklist for IT Leaders

• Run a full audit: Identify all Qualcomm-based smartphones, tablets, rugged devices in inventory.
• Patch first, ask questions later: Enforce Update Immediately policies via MDM or endpoint management.
• Enable runtime protection: Ensure endpoint solutions include chipset-level resilience.
• Monitor post-patch performance: Watch for anomalies that may indicate exploitation attempts.
• Educate users: Alert staff to apply updates and report unusual device behavior.

Staying Ahead of Chip-Level Threats

Disconnected from firmware vulnerabilities, your existing security posture is incomplete. Device-level flaws demand more robust countermeasures. Organizations that act quickly—by identifying affected devices, deploying patches, and upgrading their monitoring—can substantially reduce the risk of silêncio breaches at the chip level.

To ensure your endpoints are thoroughly defended, learn more about our Security+ cybersecurity service—our local-first solution for continuous device protection, threat monitoring, and firmware management support. Feel free to contact us for additional qualcomm chip exploits and patch guidance.

By Thomas McDonald
Vice President

Phishing attacks are no longer the work of lone hackers operating in the shadows. Today, anyone with an internet connection—and a few dollars—can launch a sophisticated phishing campaign. The reason? A growing underground economy known as Phishing-as-a-Service (PhaaS).

Similar to legitimate SaaS platforms, PhaaS kits offer ready-made phishing templates, hosting infrastructure, technical support, and even dashboards to track results. The only difference is the purpose: to steal credentials, deliver malware, or compromise business systems. For organizations already stretched thin on cybersecurity, this democratization of cybercrime presents a serious challenge.

What Is Phishing-as-a-Service?

PhaaS platforms are pre-built toolkits or services that enable individuals—even those with no technical background—to launch targeted phishing campaigns. Some operate on dark web forums, while others exist in encrypted messaging channels or invite-only marketplaces. They often offer:

• Pre-built phishing templates mimicking banks, email platforms, or cloud apps
• Automated credential harvesting and data export tools
• Subscription-based pricing tiers, complete with customer support
• Delivery mechanisms that bypass common email filters

These services allow attackers to rent infrastructure instead of building it, lowering the barrier to entry and dramatically increasing the volume of threats.

Growing Use Across Attack Types

PhaaS kits are used in a variety of campaigns, from traditional credential phishing to business email compromise (BEC), MFA fatigue attacks, and QR code-based lures. According to a Microsoft Threat Intelligence report, these kits have evolved into modular ecosystems with regular updates, built-in obfuscation, and techniques to evade detection.

Some PhaaS operators even offer “results guarantees” and customer testimonials—removing the technical, ethical, and psychological barriers that once kept casual criminals out of the phishing business.

Why PhaaS Is So Dangerous

The greatest threat posed by PhaaS is scale. A single platform can equip thousands of attackers simultaneously, all targeting different sectors with different lures. As a result, even small and mid-sized businesses are now experiencing the same level of threat exposure as large enterprises. And because many kits are updated constantly to evade detection, traditional defenses alone may not be enough.

What Businesses Can Do

Mitigating PhaaS-fueled attacks requires a combination of layered defenses and user education. Organizations should:

• Deploy advanced threat protection at the email gateway level
• Implement multi-factor authentication across all accounts
• Regularly test employees with simulated phishing exercises
• Monitor for unusual sign-in behavior, especially from unfamiliar geolocations
• Keep endpoint protection and detection tools up to date

It’s also critical to understand that PhaaS (phishing as a service)represents a shift in the threat model. Phishing is no longer limited by the attacker’s skill. With PhaaS, the intent to steal information is all that’s required—and the tools are readily available.

Conclusion

Phishing as a Service is reshaping the cybersecurity landscape. What was once a specialized threat has become a mass-market product, sold and distributed with the ease of an app. For defenders, this means staying ahead requires more than blocking known threats. It requires anticipating how accessible cybercrime has become—and acting accordingly.

For further insight into the industrialization of phishing, see CISA’s advisory on phishing services.

By Thomas McDonald
Vice President