Skip to content
Menu
IT-DRAFTS
  • About
  • My Statistics at Microsoft Q&A
  • Privacy policy
IT-DRAFTS
July 2, 2025July 2, 2025

Phishing Without a Password: How Attackers Hijacked Microsoft 365’s Direct Send

hi. buckle up. we’re talking about emails that look like they came from your coworker, were sent through your own domain, and landed right inside your users’ inboxes…

…without a single login, compromised account, or auth token.
this ain’t magic. this is Microsoft 365 Direct Send — and it just got weaponized.

what’s Direct Send anyway?

it’s a legit M365 feature. sounds innocent:
“send email directly from a local app or device through your tenant’s smart host.”

like: your scanner → sends PDF to your inbox. or your fax machine, if you still live in 2003.

how it works:

  • anyone who knows your domain can guess your smart-host pattern
    (e.g. your-company-com.mail.protection.outlook.com)

  • and then: send mail through your tenant’s SMTP relay

  • as long as it’s to a valid recipient — it goes through

  • no login. no token. no OAuth. just SMTP and vibes.

enter the exploit: phishing-as-a-service

Varonis Threat Labs found it in May 2025:
a phishing campaign targeting 70+ orgs, mostly US-based, mostly financial, engineering, health & insurance.

attackers used:

  • PowerShell + SMTP

  • external IPs from Ukraine (139.28.36[.]230)

  • smart-hosts like acme-corp-com.mail.protection.outlook.com

they spoofed internal users using M365’s own infra. mails passed through internal routing. and they looked native.

📎 email body: fake voicemail alert
📎 attachment: PDF with a QR code
📎 scan it? → M365 login page clone with a credential harvester

Microsoft’s filters? they watched it happen

you’d think SPF, DKIM, DMARC would help, right?
nope.

📎 SPF failed
📎 DKIM? none
📎 DMARC? nope
📎 verdict? delivered anyway — since it came from your own smart host

🙃 Direct Send has no sender auth by design
it assumes the person sending knows what they’re doing
(surprise: they didn’t)

what to do before your domain sends malware to your CEO

✅ disable Direct Send unless you’re using it and actually need it
admin center → mail flow → connectors → block unauthenticated relay

✅ set strict DMARC policy
p=reject isn’t optional anymore

✅ audit all inbound headers for:

  • mismatch between IP and domain

  • use of smart-host IPs from unknown networks

  • no DKIM / SPF alignment

✅ lock down SPF to static IPs and block catch-all includes

✅ enable MFA on all accounts, even low-priv apps

📎 Microsoft’s official guidance:
https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-microsoft-365-or-office-365#direct-send-send-mail-directly-from-your-device-or-application-to-microsoft-365-or-office-365


IOC time: what’s out there right now?

📎 IPs used:

  • 139.28.36[.]230

  • others in that subnet

📎 domains:

  • fake voicemail senders from spoofed internal identities

  • target-specific pages hosted on external compromised infra

Varonis shared a full IOC list here:
https://www.varonis.com/blog/direct-send-exploit

TL;DR: when Microsoft sends phishing on your behalf

this isn’t a “bad Microsoft” story.
this is a “misused feature built for sysadmins, not for attackers” story.

Direct Send was made for convenience. but now?
it’s a backdoor with a smiley face.
no login. no creds. just SMTP packets and QR scams.

your mail gateway won’t see it. your EOP filters might not catch it.
but your users? they’ll click. because it looks internal.

and that’s how phishing just leveled up.

Categories

ActiveDirectory AI Azure AzureAI azurefirewall azuresecurity cloudarchitecture cloudnetworking CloudSecurity Conditional Access Copilot Cybersecurity cybersecuritytools DataProtection DataSecurity DevOps devsecops DNS enterpriseai Entra entraID Howto hybridcloud Innovation licensing Microsoft Microsoft365 Microsoft AI MicrosoftAzure microsoftcloud Microsoft Product microsoftsecurity MicrosoftSentinel MS Entra MSteams network networksecurity Security SoftwareUpdate TechNews updates Windows Windows10 Windows11 zeroTrust

Archives

  • July 2025
  • June 2025
  • May 2025
  • February 2025
  • October 2024
  • September 2024
  • July 2024
  • June 2024
  • May 2024
  • April 2024
  • March 2024
No comments to show.

Recent Comments

Recent Posts

  • SCCM-to-Intune Migration: The Cloud Apocalypse Survival Checklist
  • 💀 SCCM Is Dead. Long Live the Cloud Overlord Intune.
  • 🌊 Sentinel Data Lake — All Your Logs in One …..
  • Microsoft Sentinel: Now Smarter, Meaner, and Autogenerating Paranoia
  • Windows is dead, but still breathing cash
©2025 IT-DRAFTS | Powered by WordPress and Superb Themes!