Microsoft 365 Direct Send Abuse: Phishing Risks & Security Recommendations

Description

Threat actors are actively exploiting Microsoft 365's Direct Send feature to deliver phishing emails, bypassing perimeter security solutions by routing malicious messages through trusted infrastructure. This technique requires no credentials, only knowledge of the target domain and valid recipient addresses. The attack process involves identifying organizational domains, crafting emails impersonating internal users, and delivering them through Microsoft 365's infrastructure. Recent campaigns have successfully harvested credentials and established footholds within targeted environments. Attackers use automated tools to generate convincing business-themed lures, often utilizing PDF and DOCX attachments with QR codes or obfuscated HTML leading to phishing pages. The abuse of Direct Send represents a critical gap in email security defenses, particularly for organizations relying heavily on email communications.