Cybersecurity Data & Analytics Digital Workspace Cloud Infrastructure Application Development Artificial Intelligence
Services Overview
Workshops Assessments Masterminds Technical Solutions Manager Cybersecurity Advisory Program Implementation Project Management Staffing
Insights Security Videos News Events
Why Alchemy Partners Team Awards Careers Contact Us
Blog | Security August 27, 2025

Microsoft 365 Direct Send Exploit: How Attackers Bypass Email

Microsoft 365 Direct Send Exploit: How Attackers Bypass Email

In August 2025, cybersecurity researchers uncovered a sophisticated spear phishing campaign that exploited Microsoft 365’s Direct Send feature. This campaign bypasses traditional email security defenses—such as SPF, DKIM, and DMARC—by leveraging Microsoft’s own infrastructure to deliver malicious emails that appear to originate from trusted internal sources.      The attackers use Direct Send to route emails through the victim’s smart host infrastructure (typically the tenant MX record), effectively masquerading as internal traffic. This allows them to evade perimeter defenses and deliver payloads that conventional email filters would typically block.    

What is Direct Send?

Direct Send is a legitimate feature in Microsoft 365 Exchange Online that allows devices, such as printers, scanners, and line-of-business applications, to send emails without authentication if the recipients are within the same organization. It’s designed for internal communication and is often used in environments where legacy devices cannot support modern authentication protocols.

Unlike SMTP Relay or SMTP AUTH, Direct Send: 

  • Does not require credentials 
  • Only supports sending to internal recipients 
  • Uses the tenant’s MX record (e.g., yourdomain.mail.protection.outlook.com) as the SMTP endpoint 

While convenient, this lack of authentication makes it a prime target for abuse.    

How is it abused? 

Threat actors have weaponized Direct Send in several ways: 

  • Spoofing Internal Users: By sending emails through the tenant’s smart host, attackers make messages appear as if they originate from internal users, bypassing SPF, DKIM, and DMARC checks 
  • Image-Based Lures: Instead of text, attackers use high-fidelity inline images mimicking voicemail or service notifications to evade text-based filters. 
  • Dual-Payload Delivery: 
    • HTML Attachments: Disguised as audio players, these use obfuscated JavaScript triggered by invalid image tags to execute malicious code. 
    • SVG Files: Treated as safe by many filters, these contain embedded JavaScript with custom encoding to avoid detection. 
  • Dynamic Personalization: Malicious scripts fetch corporate logos and branding in real-time, creating credential harvesting pages that look convincingly legitimate. 

This combination of technical exploitation and social engineering makes the attack highly effective—even against experienced users.     

How do I fix it? 

Microsoft has acknowledged the issue and introduced a “Reject Direct Send” control (currently in public preview), which allows administrators to block unauthenticated Direct Send traffic. However, this alone is not enough. Here are additional steps organizations should take:

1. Disable Direct Send Where Possible

If legacy devices don’t require it, disable Direct Send entirely. Use authenticated SMTP Relay or modern alternatives.

If legacy devices do require it, consider utilizing a dedicated service like SendGrid to accomplish SMTP relay. 

2. Enforce Sender Authentication 

Implement and enforce SPF, DKIM, and DMARC policies. Ensure your SPF record includes only trusted IPs.

3. Harden Email Infrastructure 

  • Use Exchange Online Protection (EOP) and Microsoft Defender for Office 365, or an alternate Email Filtering solution (Proofpoint, Mimecast, Abnormal) 
  • Configure partner connectors for authenticated traffic from 3rd party email filtering solutions. 
  • Monitor for anomalies in email behavior and authentication patterns. Always review sign-in logs for unusual or suspicious activity to ensure proper identity hygiene.

4. Educate Users 

Train users to recognize phishing tactics, especially image-based lures and QR code phishing (“quishing”).

5. Monitor and Respond 

Deploy threat detection tools that can identify suspicious Direct Send activity. One method for accomplishing this is email hunting and message explorer, which are features of the Microsoft 365 E5 suite of products.

To find emails sent via Direct Send, you can run a historical message trace in Exchange Online to pull up email delivery logs from the last 90 days. To do that, 

  • Navigate to the Exchange admin center > Reports > Mail flow and select Inbound messages report from the list. 
  • Next, click on Request report and modify the Start & End date based on your requirement. 
  • Click the Recipients dropdown and choose the desired recipients to receive the inbound message report. 
  • Then, ensure that Received and No connector are selected under Directions and Connector type appropriately. 
  • Finally, set TLS version to No TLS and hit Request to receive a report on all inbound emails received without a connector to identify Direct Send emails. 

Microsoft 365 Defender Advanced Hunting

An alternative method is to leverage Microsoft 365 Defender Advanced Hunting.  You can do this by navigating to https://security.microsoft.com/v2/advanced-hunting and starting a new query.  Here’s a KQL query that allows you to identify messages that were likely sent via the Direct Send feature in Microsoft 365 within the last 30 days.  If the results are legit messages, they will likely need to be reconfigured to route properly after disabling the feature.

EmailEvents  
where Timestamp > ago(30d)  
where EmailDirection == "Inbound"
where SenderMailFromDomain == "yourdomain.com"
where DeliveryAction contains "Delivered"
where AuthenticationDetails == @"{""SPF"":""fail"",""DKIM"":""timeout"",""DMARC"":""temperror"",""CompAuth"":""fail""}"
project Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, AuthenticationDetails, DeliveryAction  
order by Timestamp desc; 

Takeaways and considerations:

  • If your organization does not utilize direct send, you can disable this feature in your tenant by connecting with the Exchange Online Management PowerShell module and running this cmdlet: Set-OrganizationConfig -RejectDirectSend $true 
  • If you do leverage direct send today, you’ll need to evaluate your email infrastructure to understand how and when to disable direct send. Contact your Account Manager or your Technical Solutions Manager to discuss your options. 
  • If you leverage direct send and you do not have a 3rd party email filtering service in front of your tenant, you may have to resort to a 3rd party relay solution to replace direct send so that it can be disabled. If you have a 3rd party filtering service and you use direct send, you can enable a transport rule in your that will only allow messages originating from specific IP addresses into your tenant. You can stack this with “–RejectDirectSend” for even greater security.

Final Thoughts

Direct Send was designed for convenience, but attackers have turned it into a powerful tool for bypassing email security. Organizations cannot rely solely on Microsoft’s new controls. By disabling Direct Send where possible, tightening authentication, hardening infrastructure, and proactively hunting for abuse, enterprises can significantly reduce their exposure. Security teams should evaluate their environment now, before this technique becomes more widespread in the wild.

Strengthen Your Microsoft 365 Security

Blocking Direct Send abuse is just one step toward securing Microsoft 365. Alchemy Technology Group helps enterprises harden identity, email, and collaboration environments against today’s most advanced threats. Our experts design and implement layered defenses that close gaps before attackers exploit them.

Explore our Microsoft 365 Security services

Author

Author avatar Kyle Mancuso
Share

More Articles

Insights
Nov 21, 2025

How Azure Virtual Desktop Is Shaping the Future of Hybrid Workloads

doug-lind avatar Doug Lind
Insights
Nov 6, 2025

From Login to Loyalty: Turning Authentication into a Brand Experience

pascal-pierre-louis avatar Pascal Pierre Louis
Insights
Oct 24, 2025

Modern Endpoint Management with Intune and Nerdio: What IT Leaders Need to Know