Back to Threat List

Direct Send Abuse – Internal Email Spoofing

Attackers abuse Microsoft 365 Direct Send to deliver spoofed internal emails without authentication, bypassing user-based protections and enabling high-confidence phishing.

Research:

https://www.microsoft.com/en-us/security/blog/2026/01/06/phishing-actors-exploit-complex-routing-and-misconfigurations-to-spoof-domains/

Summary

Threat actors can abuse Microsoft 365 Direct Send to send unauthenticated emails that appear to originate from internal users. Because Direct Send does not require credentials, MFA, or a sign-in event, it bypasses identity-based protections and enables high-trust phishing and internal impersonation attacks.

In many tenants, this is a configuration risk that exists by default and often goes unnoticed. Microsoft’s research shows this technique being used with lures such as “password expiration” messages that masquerade as legitimate Microsoft communications.

This phishing message uses a “password expiration” lure masquerading as a communication from Microsoft (image from Microsoft.com)

Remediation details

Direct Send is intended for legacy devices such as printers, scanners, and applications that need to send email without SMTP authentication. However, when left enabled or loosely restricted, it can be exploited to deliver spoofed internal messages that evade Conditional Access, MFA, and identity logging entirely.

Overe actively detects and enforces protection against Direct Send abuse by identifying exposure and applying policy-based remediation where Direct Send is not explicitly required.

Enable enforcement in seconds across all client tenants in seconds

What to do

  1. Disable Direct Send where it is not required
    Most tenants no longer need Direct Send. Removing it eliminates an entire phishing vector that does not rely on credential compromise.
  2. Restrict Direct Send to known IP ranges (if required)
    Where legacy systems still depend on it, Direct Send should be tightly scoped to specific, trusted IP addresses only.
  3. Harden Exchange Online mail flow
    Review SMTP connectors and mail flow rules to ensure unauthenticated paths are not overly permissive.
  4. Enforce strong sender authentication
    SPF, DKIM, and DMARC should be correctly configured and enforced to reduce spoofing opportunities.
  5. Monitor for internal sender spoofing patterns
    Internal-looking emails should not be implicitly trusted, particularly when no authenticated sender is present.

Overe continuously assesses Microsoft 365 tenants for Direct Send exposure and enforces secure configuration through guided, policy-driven controls — helping organisations eliminate this risk without disrupting legitimate business workflows.

Severity
High
Productivity Impact
Medium
Fix Estimate
Protected by Overe