Phishing attackers have found a new way to make malicious emails look like they’re coming from within your company.
They’re abusing a Microsoft 365 feature called Direct Send to spoof internal emails.
In response, we are taking immediate action to safeguard your organisation. In this post, we’ll explain what Direct Send is, how it’s being misused, what steps we’re taking to protect you, and what (if anything) might change for you as a result.
What is Microsoft Direct Send?
Microsoft 365’s “Direct Send” is a feature that allows internal systems (like printers, scanners, or applications) to send email directly to your people without a normal user login.
In other words, a device on your network can email your staff using your company’s email domain, even though the device isn’t a full mailbox account. This was intended as a convenient way for things like multi-function printers to send scanned documents or for business applications to send notifications as if they were coming from inside your organisation’s email.
For example, an office scanner might use Direct Send to email you a PDF of a scanned document, appearing to come from “scanner@yourcompany.com” without needing any password authentication. As long as the email is addressed to someone in your company, Exchange Online will accept it.
Microsoft designed this to simplify internal email delivery for trusted devices on your network.
How is Direct Send being exploited?
Unfortunately, attackers have figured out how to abuse this trusted channel. Cybercriminals are using Direct Send to make phishing emails look like they come from internal users. By exploiting this feature, they can bypass many of the usual security checks that mark external emails as suspicious.
In fact, phishing emails sent via Direct Send slipped past Microsoft Defender and other email security gateways because they appeared to originate from inside the company.
Here’s how the scam works: Attackers identify the Direct Send mail endpoint for a target organisation and then send email through it using the company’s own domain name. These emails don’t go through the normal authenticated send process, so they can evade SPF, DKIM, and DMARC protections that usually detect spoofed senders.
To the recipient and many automated filters, the phishing email looks like a legitimate internal message from a coworker.
Service Desk Specialist Jordan from ITC Service adds:
“If an email looks like it came from your HR department or CEO, you’re more likely to trust it. Attackers know this. They have been impersonating colleagues from HR, finance, or leadership to lower your guard. Because the message appears internal, it avoids the “external sender” warnings and policies that might otherwise flag it.”
For example, one recent phishing campaign using Direct Send sent emails posing as voicemail or fax notifications. The email would include a PDF attachment that looked harmless, but inside was a QR code. If a user scanned that QR code, it led to a fake Microsoft login page where the attackers would steal any entered password.
In other cases, attackers include a link to a counterfeit Microsoft 365 login form in the email; when the user clicks and tries to log in, their credentials are captured. Because these phishing emails seem to come from a familiar internal address (like “IT Support” or a colleague’s name), people are understandably tricked into trusting them.
In short, Direct Send abuse has become a go-to trick for attackers to get around traditional email defences, which is why we’re acting decisively.
How are we protecting our customers?
Your security is our top priority. For companies who don’t rely upon Direct Send; we have taken immediate action to block this Direct Send abuse and protect your organisation. For other clients, we are taking decisive action to enable the “Reject Direct Send setting” in our active, security managed environments on October the 1st.
Enabling the Reject Direct Send setting means any email sent anonymously using your domain (i.e. attempting to use Direct Send) will be automatically rejected and never reach your inbox. This closes the loophole that attackers were exploiting. In essence, we’ve shut the door that allowed unauthenticated internal-looking emails to get through. So even if a bad actor tries this trick from this date, those spoofed emails will be blocked at the gate.
Importantly, we are actively monitoring for any signs of abuse or new tactics. Threat actors constantly evolve their methods, and we adapt just as quickly. If Microsoft or the security community releases new updates or guidance related to this threat, you can be sure we will implement those as well. Our goal is that you see as few possible phishing attempts in your inbox.
What might break when Direct Send is disabled?
We recognise that Direct Send, while a security risk, was originally a useful feature. There is a chance that some of your devices or applications were unknowingly relying on Direct Send to send emails. We want to be upfront about this so we can work together to address any issues.
Here are a few things that may be impacted by turning off Direct Send
- Multi-function printers / scanners: These often used Direct Send to email scanned documents internally. For example, your office photocopier might email PDFs to staff. If it was using Direct Send, those scan-to-email functions will fail to send now
- On-premise business applications or scripts: Any software on your network that sent automated emails to your team (alerts, reports, etc.) without logging in to an account could have been using Direct Send. Those emails will no longer be delivered until the app is reconfigured.
- Third-party services using your domain: Perhaps a cloud service or monitoring system was set to email your staff as “no-reply@yourcompany.com”. If it wasn’t using user authentication or the graph API, those messages would be blocked too.
In the event that something stops working as a result of this security measure, we will work with you to put in a secure alternative solution. If you think anything may be affected, feel free to reach out in advance.
We are doing our best to identify effected applications before the configuration change. But if you have a scanner or 3rd party service we’re unaware of, this is likely to be a breaking change.
Ongoing protection and support
We’re committed to keeping your email communication secure. Disabling Direct Send is a proactive step to protect against emerging phishing threats. With strong safeguards now in place, you can trust that internal-looking emails truly are internal.
While email security can be complex, our goal is to shield you from that complexity and ensure safety by default.
We’ll continue monitoring the threat landscape and evolving our defences—so you stay protected.
If you would like to discuss ITC Services cyber security services, don’t hesitate to contact us
