Straight Outta Redmond: Direct Send Abuse in the Wild

Microsoft’s Direct Send feature was built to make life easier for organizations, but attackers have found a way to flip that convenience into chaos. Direct Send abuse is the latest Straight Outta Redmond, where threat actors masquerade as trusted senders and ride Microsoft’s own infrastructure to deliver phishing at scale. The Blackpoint Response Operations Center (BROC) continues to see an influx of Direct Send Abuse, which quickly leads to business email compromises. This is not just another wave of spam, it’s malicious mail with street cred, which is delivered courtesy of Microsoft’s own backyard.

Key Findings

• Threat actors in the wild have been observed leveraging Microsoft’s Direct Send feature to send targeted phishing emails as spoofed users.
• Direct Send Phishing does not require a threat actor to compromise an existing account to deliver internal phishing emails.
• Direct Send is a Microsoft function for Exchange Online designed for internal devices that allows for emails to be sent directly without authentication.
• Threat Actors are identifying Smart Host Assets with the default naming format and abusing publicly available data to identify organizations that are vulnerable to direct send phishing.
• Direct Send Phishing is an effective and low-cost option due to not requiring an existing compromised account nor stolen credentials, or tokens.
• Abusing Direct Send for email delivery causes the email to appear to be internal-to-internal traffic and may be ignored by third party email security tools and not validated by sender verification controls.
• Common Phishing Lures observed in Direct Send Attacks involve mundane business tasks such as task reminders or meeting recordings as well as urgent requests including wire authorizations or missed Fax messages.

From Lures to Breaches: Why Email Is Still the Easiest Vector

The BROC continues to see an ever-increasing change in tactics, techniques, and procedures (TTPs) associated with business email compromises (BECs). These BECs have evolved from type-squatted domains and fake invoices to abusing the newest Microsoft feature or piece of technology present in today’s day and age. Adversaries now blend classic phish with QR “quishing”, HTML smuggling, OAuth consent grants, adversary-in-the-middle proxies, and thread hijacking. These threat actors lean on collaboration stacks, marketing platforms, and LLMs to increase their credibility. Once initial access is gained, mailbox rules, transport rules, and forwarding rules silently work to keep victims blind while attackers pivot deeper into the cloud, attempt to compromise further accounts, or stage payroll or wire diversions.

Attackers are now abusing the Microsoft 365 Direct Send feature to route malicious phishing messages through legitimate Microsoft infrastructure. Even when DMARC alignment is enforced, organizations with permissive controls or weak anomaly detection may still see malicious emails reach user inboxes.

Kill Chain Overview

Redmond built it, the streets weaponized it.

The BROC continues to see an uptick in direct send abuse for phishing campaigns across our customer base. Direct Send is a Microsoft 365 feature that allows devices and applications to send email directly through Exchange Online without needing authentication or a designated mailbox. This specific feature was built for convenience, however in misconfigured environments it is a dangerous initial access point leveraged heavily by threat actors in phishing campaigns.

A recent incident tied to a Business Email Compromise identified that the malicious phishing mail was sent via Direct Send. The malicious email in question was sent from the user to themselves, which is a common tactic leveraged by these Direct Send Campaigns.

Further parsing of the headers found that all of the relays associated with the transport stem from “outlook” / “office365”, however the last relay / stop is loopback address (127.0.0[.]1) followed by an anomalous IP, which is not Microsoft based.

Open-Source Intelligence (OSINT) found that this IP is associated with a VPS located in Ashburn, Virginia. However, the ASN tied to this specific VPS is based out of Germany based on the DE after “HETZNER-CLOUD2-AS, DE”. Further digging into this hosting provider confirms that this is a German company that offers cheap VPS services, which are being leveraged by a threat actor within this campaign.

The malicious email in question had an attachment called “ToDoList.svg”. Parsing out this image file found that there was embedded JavaScript, which would redirect the user to a credential harvesting page located at sinoswissportal[.]com.

Checking the A record for this malicious phishing domain also validates that the credential harvesting page is also hosted on a different Hetzner VPS located within Germany.

Navigating to the generated link, using a bogus email, confirm that the JavaScript redirect goes to a Microsoft phishlet. An interesting item to note is the Microsoft Favicon on this tab has the colors inverted (red is bottom right instead of top left).

This incident highlights how the abuse of Direct Send is not going away anytime soon. If anything, this feature is becoming a favorite in all threat actor’s playbooks. If this feature exists, adversaries will continue to piggyback on Microsoft’s infrastructure to slip past defenses and land in inboxes with built-in credibility. All this data emphasizes why defenders can’t afford to be reactive, instead a proactive approach with targeted monitoring, alerting, and awareness is critical to flag these campaigns and breaches tied to these malicious emails. Organizations that invest in visibility and guardrails today will be far better positioned to weather the next wave of phishing “Straight Outta Redmond”.

Recommendations and Mitigations

Recently Microsoft has added additional options to restrict Direct Send for Exchange Online. A new Administrative setting has been deployed to Reject Direct Send messages.

This can be enabled with the following PowerShell cmdlet for Exchange Online:

This setting will disable Direct Send and provide an error message to any inbound direct send messages. It is important to note that currently this feature is currently in Public Preview and is not enabled by default. Microsoft has commented that future iterations for new tenants will have this enabled by default, after the GA for Direct Send. In addition Microsoft is working on creating Reporting for Direct Send traffic to ensure Admins are able to observe all of the current traffic that may be impacted by enabling Reject Direct Send. Currently this is not yet available.

There are some known issues with Reject Direct Send and Microsoft has continued to update their Blog post with known issues:
Introducing more control over Direct Send in Exchange Online | Microsoft Community Hub