DigitalXRAID

Threat Intelligence: Microsoft 365 Exchange Online Direct Send exploitation seen in the wild for phishing campaigns 

Threat Intelligence from DigitalXRAID’s Security Operations Centre analysts: 

Organisations using Microsoft 365 may have an open door for phishing attacks that bypasses all traditional email security controls. This exploitation technique requires no stolen credentials, no compromised accounts, and leaves minimal forensic traces.

Here’s what you need to know about Direct Send exploitation and how to protect your organisation

Microsoft 365 (M365) Exchange Online Direct Send is a legitimate method that allows devices and applications to send emails through Microsoft 365 without authentication. This works by routing messages directly through Exchange Online using your tenants’s MX endpoint, typically your-domain.mail.protection.outlook.com on port 25. This method only permits sending to recipients within your organisation.

Direct Send completely bypasses any external Secure Email Gateways (SEGs) and traces of the messages can only be seen from within your M365 environment such as Microsoft Defender and Microsoft Exchange Admin Centre (EAC)

The abuse technique threat actors are using requires no compromised accounts or stolen credentials, all that is required is to know the domain of an organisation and some valid recipients addresses.

Delivery Method

Attackers connect to the tenant smart host from any IP and spoof internal addresses. Messages are submitted without authentication and are often treated as internal mail, however, there are cases where Microsoft Defender Mail Tips have warned that the email is from an external source.

The attackers target your specific endpoint and a user that they’ve found the details of elsewhere. In the email that’s delivered via Direct Send to the end user, there is often attachments with QR codes or URLs for the end user to click. These QR codes/URLs will often take the user to an Adversary-in-the-middle (AITM) phishing page which is able to grab session tokens and enable the attackers access even with robust MFA methods in place (Such as Microsoft Authenticator push notifications)

Detection Indicators

Signs of Direct Send Exploitation:

  • Empty Connector field in message trace
  • SPF/DKIM/DMARC failures on “internal” emails
  • External IP addresses for internal domain senders
  • Suspicious patterns (e.g., CEO emailing all staff at unusual hours)
  • QR codes in unexpected internal communications

Mitigation and Prevention

  • Disable or Restrict Direct Send: Enable RejectDirectSend with PowerShell (Set-OrganizationConfig -RejectDirectSend $true). Use partner connectors with TLS or fixed IP authentication for legitimate workflows.
    • Disabling Direct Send may have severe business implications so this should be considered prior to changing this setting, you can review any emails using Direct Send to understand impact with the following methods:
      • To check via Defender you can use the following KQL:

EmailEvents

| where Timestamp > ago(30d)

| where EmailDirection == ‘Inbound’ and Connectors == ” and isnotempty(SenderIPv4)

| extend AuthenticationDetails = parse_json(AuthenticationDetails)

| where SenderFromAddress contains “YOURDOMAIN”

| where AuthenticationDetails.DMARC == “fail”

| project Timestamp, RecipientEmailAddress, SenderFromAddress, Subject, NetworkMessageId, EmailDirection, Connectors, SenderIPv4

  • To Check via Message Trace you can use the following with Exchange Online Powershell:
    Get-MessageTraceV2 -SenderAddress “*@<YourDomain>.com” -RecipientAddress “*@<YourDomain>.com” -StartDate <MM/DD/YYYY> -EndDate <MM/DD/YYYY> | Export-CSV <OutputCSVFilePath> -NoTypeInformation -Encoding UTF8
  • Enforce Strong Sender Authentication: Progress DMARC to p=reject. Enable DKIM on all domains. Maintain precise SPF records.
  • Enable device compliance conditional access policies: Device compliance conditional access policies disallow logging in from non-compliant devices which would prevent the AITM attacks from being successful due to the logins actually happening on the attacker’s device.

If you need any further guidance on this, please contact DigitalXRAID’s Security Operations Centre analysts. We’re here to support you. 

If you discover that you’ve suffered a breach as a result of this or any other vulnerability, and need help urgently, get in contact with us. You can call our emergency line on 0800 066 4509 to speak with one of our experts. They’re available 24 hours a day, 7 days a week.  

Bookmark this page in case you ever need us. 

Previous Article

PCI Compliance Penetration Testing Explained

Next Article

Understanding the EU’s Cyber Resilience Act

Protect Your Business & Your Reputation.

With a continued focus on security, you can rest assured that breaches and exploits won't be holding you back.

Speak To An Expert

cybersecurity experts
x

Get In Touch

[contact-form-7 id="5" title="Contact Us Form"]
DigitalXRAID
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.