Threat actors are now abusing a legitimate feature of Microsoft 365 known as Direct Send phishing to deliver fraudulent emails that appear to come from internal users. This attack method bypasses traditional email defenses by exploiting a trusted mail flow configuration, making it especially dangerous in enterprise environments. In this article, we break down how this attack works, what makes it effective, and how to defend against it using Microsoft best practices and layered security controls.

a woman with a fishing pole simulating microsoft phishing using direct send

Understanding Direct Send in Microsoft 365

Microsoft 365 offers three ways to send mail from devices and applications: SMTP AUTH client submission, Microsoft 365 or Office 365 SMTP relay, and Direct Send. The Direct Send method allows email to be transmitted from an application or device (like a printer, scanner, or third-party app) directly to Microsoft 365 without authentication, as long as the IP is allowed and the domain is valid. According to Microsoft, this method supports internal email routing without needing user credentials. You can read more in their official documentation here.

How Attackers Are Exploiting Direct Send

By impersonating legitimate applications and spoofing trusted IPs, attackers can send phishing emails through Direct Send that appear to come from verified internal addresses. These emails often bypass SPF, DKIM, and DMARC checks because they technically originate from within the organization’s domain and IP allowances.

This tactic gives attackers a powerful advantage: the messages don’t look suspicious to email security filters or to users. Targets are more likely to engage with a message if it appears to come from a known colleague or internal system—especially when the content mimics invoice alerts, password change requests, or file-sharing notifications.

Why This Threat Is So Effective

Unlike typical phishing campaigns that rely on misspelled sender names or domain lookalikes, Direct Send phishing creates emails that pass as entirely legitimate in both metadata and presentation. That means:

  • The sender appears internal and familiar
  • Email filters may not flag the message as suspicious
  • End users are less likely to report the message
  • Security logs may not show obvious red flags

This creates a perfect storm of risk: high trust, low detection, and quick impact.

Recommended Mitigations and Best Practices

To protect against this type of abuse, organizations should follow Microsoft’s updated guidance on Direct Send configuration, outlined in their official documentation here.

Microsoft emphasizes several key safeguards:

  • Restrict the accepted IP addresses in the mail flow rule to only known and documented devices.
  • Disable Direct Send unless it’s absolutely necessary for business functions.
  • Use SMTP authentication with strong credentials and MFA whenever possible instead of unauthenticated Direct Send.
  • Monitor email headers and audit logs for unexpected traffic from non-mailbox sources.

Additionally, your organization should conduct regular phishing simulations to educate users on identifying unusual requests—even when they appear internal.

How Cost+ Helps Secure Your Microsoft 365 Environment

At Cost+, we proactively defend Microsoft 365 environments through a combination of prevention, monitoring, and response services. Our Security+ offering includes email threat detection, 24/7 monitoring, and hardening of misconfigured or vulnerable Microsoft 365 settings. We also assist with:

  • Configuring secure mail flow and anti-spoofing policies
  • Disabling unused protocols and reducing attack surface
  • Alerting on abnormal internal email behavior

For organizations that rely heavily on application-based email—such as CRMs, scanners, or cloud apps—we provide auditing and remediation through our Support+ team to ensure your Direct Send configuration doesn’t become an open door for attackers.

Next Steps for Security and IT Teams

If your organization uses Direct Send—or isn’t sure how it’s configured—it’s critical to perform an immediate review. Start by inventorying every device or application that’s allowed to send mail using this method. Then verify:

  • Each sending IP is expected and documented
  • No new mail flow rules have been added or modified unexpectedly
  • End user reports of “weird” internal messages are followed up with proper investigation

You should also configure alerts for any unusual spikes in email volume from IPs tied to Direct Send or apps using SMTP relay. These patterns often precede broader phishing campaigns.

Final Thoughts

Direct Send phishing is a reminder that even legitimate tools can become threat vectors when not properly governed. Microsoft’s built-in mail delivery flexibility helps businesses function efficiently—but it also creates opportunities for abuse if not configured securely.

By following Microsoft’s published best practices and layering your security defenses, you can reduce risk while preserving business continuity. Cost+ is here to help you close these gaps before they become exploited entry points.

Get in touch with us to schedule a review of your Microsoft 365 security posture—including Direct Send risk assessments and remediation planning.

By Thomas McDonald
Vice President