Microsoft 365 Exchange Online Direct Send exploited for internal phishing campaigns

Threat Group: Opportunistic and financially motivated actors targeting multiple sectors
Threat Type: Phishing and email infrastructure abuse
Exploited Vulnerabilities: Abuse of Microsoft 365 Exchange Online Direct Send feature; implicit trust of unauthenticated internal-looking emails; weak or unenforced SPF, DKIM, and DMARC
Malware Used: None required for initial access; follow-on payloads include credential harvesting pages and session theft tools
Threat Score: 🔴 High (7.9/10) – Direct Send abuse enables internal spoofing, bypasses perimeter controls, and delivers phishing at scale without account compromise
Last Threat Observation: 19 August 2025

Overview

Microsoft 365 Direct Send, a legitimate Exchange Online feature that allows devices such as printers, scanners, and line-of-business applications to send emails without authentication, is being actively exploited by threat actors. These attackers leverage the feature’s design to deliver phishing emails that convincingly appear to originate from internal users, effectively bypassing traditional perimeter defences and internal trust checks.

The abuse technique requires no compromised accounts or stolen credentials. With only knowledge of the target domain and valid recipient addresses, attackers can deliver phishing messages via the Microsoft 365 tenant smart host (formatted as yourtenant.mail.protection.outlook.com). This approach bypasses external secure email gateways (SEGs) and circumvents SPF, DKIM, and DMARC checks when messages are treated as internal, leading to successful inbox delivery.

Between June and August 2025, more than 70 organisations across multiple sectors have been targeted. Campaigns use lures such as voicemail or fax notifications, often embedding QR codes within PDF attachments to redirect users to credential harvesting sites. Attackers also employ HTML attachments and business-themed emails to enhance credibility.

Microsoft has introduced a new “Reject Direct Send” control, currently in public preview, allowing administrators to block unauthenticated Direct Send traffic. This is a critical defensive enhancement, but organisations must take broader steps: disable Direct Send where possible, enforce partner connectors for authenticated use cases, implement strict sender authentication (SPF, DKIM, DMARC), harden Exchange Online Protection (EOP) and Microsoft Defender for Office 365 (MDO), and educate users on the risks of QR code phishing (quishing).

This is not a traditional vulnerability (CVE) but an exploitation of intended design. As such, patching processes alone will not resolve the issue. Effective defence requires a shift away from implicit trust in internal-looking mail and towards explicit authentication and layered protections.

Key Details

Delivery Method
Attackers connect to the tenant smart host from external IPs and spoof internal addresses. Messages are submitted without authentication and are often treated as internal mail.

Target Sectors
Finance, construction and engineering, healthcare, insurance, manufacturing, professional services, and government. Small and mid-sized organisations are especially exposed due to reliance on Direct Send for legacy device workflows.

Functions

• Internal user spoofing that appears legitimate
• Credential harvesting through PDFs with QR codes or HTML attachments
• Bypass of secure email gateways by targeting tenant smart hosts
• Exploitation of implicit trust in internal-looking domains
• Platform for downstream compromise such as business email compromise (BEC)

Obfuscation Techniques
Voicemail and fax notifications, business-themed templates, QR code payloads, reply chain insertions, and cloned brand assets from victim domains

Attack Vectors

Direct Send Path
Messages are submitted to Exchange Online via the tenant smart host with spoofed internal senders. No SMTP authentication is required.

SEG Bypass
Attackers avoid external SEGs by sending directly to Microsoft’s smart host. Without Enhanced Filtering for Connectors, these emails are not subject to the same evaluation policies.

Authentication Evasion
Messages fail SPF/DKIM/DMARC but may still be delivered because they are evaluated as internal.

User Engagement Lures
Voicemail or fax PDFs with QR codes are the primary lure. Scanned QR codes redirect mobile users outside enterprise protections. Other themes include task reminders and payment authorisations.

Indicators of Compromise (IoCs)

Indicators are defanged. Replace [.] with . when investigating.

IPv4 Addresses

• 139[.]28[.]38[.]90
• 141[.]95[.]114[.]238
• 141[.]95[.]71[.]216
• 23[.]163[.]0[.]158
• 51[.]89[.]87[.]86

Hostnames

• djvzk[.]uekmu[.]es
• jmvthr[.]owlrd[.]ru

MD5 Hashes

• e9dc9f962eb17f59d5dc9f55e0784f01

SHA1 Hashes

• 01b60a616a0c66a549323c2a0bb3262f5afe6e82

SHA256 Hashes

• 0736b07c27ff2ff21175991c2ffae38d75a66bbb57fe4390afb3347e4d6e691a
• 092d0be4a754532ad49e202eeba2a7709dad03f3f58cf72205f38efc668ebabd
• 19279573e2c3b0e6348bb305e3101531eea978037330636942a0be85dccd62c1
• 3432411a3bb498e6688d24dc3824b6469242d42d0b8742116479f35a8c05ab5a
• 3f52227acb6f97853b491cdaab53630cb21b3337a972efcb05660cd139df2482
• 48171e699562fe854418797cd8b8517b3f5eec598fd89e3d20c5a8f346176bf2
• 5b6aa8f966e240f620ad10417ff4804941966f878cc83020391ad786f5360f43
• 625561c24491e8b68efa34e14c5a332c63c6121a333f700af4ff6801ebe587c8
• 7c11352b17e325a53e3a73e34459fc55b90ceaf2c3cd4dc4421be879c7147391
• 975b04bb26d5fe627e195bdf46fc4eec7b25b63d7b4ab926b437a04903ec522f
• 988d3069d1241d2784debeb6946c57a8c66221d7fbfbd6228b2b8b3cc4e92a50
• b810f7e999d5824147535e3974cf349010f78badaa0428c554bb3e5eec56db2f
• b96ee4c2bdf566a5740dc100cf1c70896cd2806fac42d46b022d5c52c3a8a52a
• c2394537d5e7b3c1c9afc73408b5c6b1c1154650a4a8454b9f4e534c9ddbd092
• ca82e7201694b964e0f6702e08f75f98f0732552aefaed6ae8b170689341bfe2
• cc2f055a242eec9ba870fc3040883439666266a018c833b72bb201592ff0c0e4
• cf74d4c1c3e8317c43aacdcda57cb8da032477e24732d0a7987c8bf5aa9ff186
• d5800e021a88c6e91f1605b892e8aefe1ba21719022417746a64a4acba13e903
• df6bc150a77c36beafbfd0c59daa7a8960bb090743b778477e25805195640c0c
• f24785156ec9c045e88eed48b2a262996a12e7bc62f50784bba9334172668275

Mitigation and Prevention

• Disable or Restrict Direct Send: Enable RejectDirectSend with PowerShell (Set-OrganizationConfig -RejectDirectSend $true). Use partner connectors with TLS or fixed IP authentication for legitimate workflows.
• Enforce Strong Sender Authentication: Progress DMARC to p=reject. Enable DKIM on all domains. Maintain precise SPF records.
• Harden Microsoft 365 Security: Enable anti-spoofing and impersonation protection. Turn on Enhanced Filtering for Connectors.
• Reduce Credential Theft Impact: Enforce MFA. Apply Conditional Access policies. Enable token protection and shorten session lifetimes.
• Block High-Risk Payloads: Restrict PDFs with QR codes and HTML attachments from unknown senders. Apply Safe Links scanning.
• Educate Users: Train users to treat QR codes in email as suspicious. Reinforce awareness of internal spoofing threats.
• Monitor Continuously: Use Defender for Office 365 hunting queries, Exchange Online message traces, and SEG logs to identify anomalies. Build watchlists of approved senders.

Risk Assessment

Likelihood: High – requires no credentials and only knowledge of tenant details.
Impact: High – enables credential theft, BEC, invoice fraud, and potential ransomware.
Exposure Factors: Direct Send enabled; weak or unenforced DMARC/DKIM/SPF; reliance solely on SEG; lack of analytics for spoofed internal mail.
Residual Risk: Moderate if Direct Send is disabled or tightly restricted and robust authentication, monitoring, and user training are in place.

Conclusion

The exploitation of Microsoft 365 Direct Send is an effective phishing method that abuses a legitimate feature to bypass controls and deliver internal-looking emails. Microsoft’s “Reject Direct Send” control is a significant defensive improvement, but organisations must implement layered protections, strict authentication, transport rules, and user education. Quishing in particular demands urgent focus as attackers innovate to exploit user trust and mobile blind spots.

Sources

• Proofpoint – Exploiting Direct Send: Attackers Abuse Microsoft 365 to Deliver Internal Phishing Attacks
• Mimecast - Direct Send Abuse
• IT News - Confusion reigns as phishers abuse Exchange Online Direct Send
• Dark Reading - Phishers Abuse Microsoft 365 to Spoof Internal Users
• OTX AlienVault - Indicators of Compromise