Direct Send is a powerful feature, but in the wrong hands, it can also be a dangerous attack vector.
The relatively unknown “Direct Send” option in Microsoft 365 has been exploited in phishing emails. The emails appear to have been sent internally within the affected company. Research by the American SaaS platform Varonis shows that more than seventy organizations have been victims since May.
What is Direct Send?
Direct Send is intended for printers and scanners that need to send emails via the organization’s domain without authentication, according to Bleeping Computer. In practice, entering a single PowerShell command is sufficient to send emails via the company’s smart host that bypass almost all filter rules. Attackers use external IP addresses but still get through security because the messages are marked as “trusted internal”.
Internally Sent Phishing Emails
The emails mimic voicemail or fax notifications and contain the target’s logo and a PDF with a QR code. Scanning the code immediately leads to a fake Microsoft login page. This way, login credentials are stolen without the recipient having to click anything. There are also no external links in the PDF file, again to bypass traditional filters.
Disable
Microsoft introduced the “Reject Direct Send” option in April, allowing organizations to disable this feature. Varonis also advises awareness around QR codes in emails. Without additional checks, it is not sufficient to consider an email safe just because it was sent internally.
read also