Microsoft 365 Direct Send Feature is Letting Hackers Steal Credentials — Are You at Risk?

Security researchers have discovered a sophisticated phishing campaign that exploits Microsoft 365’s Direct Send feature, allowing attackers to send deceptive emails without authentication to steal user credentials. Since May 2025, this technique has targeted over 70 organizations across multiple industries in the U.S., posing a significant threat to enterprise email security.

In Exchange Online, the Direct Send feature allows devices and applications within an organization to send emails through Microsoft 365 without needing to authenticate with a username or password. It leverages the SMTP server smtp.office365.com on port 25 and requires TLS encryption. This feature is commonly used for scenarios like sending alerts from printers or scanners, where storing credentials isn’t feasible.

How hackers are abusing Microsoft 365’s Direct Send feature?

According to a new report from security firm Varonis, hackers are abusing the Direct Send feature, which does require authentication, to send spoofed emails that bypass security controls. This technique does require threat actors to compromise an account within the target organization. They only need to identify the organization’s domain and a valid recipient to deliver phishing emails.

The attacker leveraged PowerShell to send emails that appeared to originate from a trusted internal address through the smart host. These emails can bypass traditional email security controls because these messages were delivered through Microsoft’s infrastructure and seemed to come from within the tenant.

“In one case, the alert was triggered by a Ukrainian IP address, an unexpected and unusual location for the affected tenant,” explained Tom Barnea, a forensics specialist at Varonis. “Typically, alerts tied to abnormal geolocation are accompanied by authentication attempts. This time, however, there were no login events, only email activity. Even more unusual, users were sending emails to themselves with PowerShell as the user agent.

In one instance, Varonis observed that the emails resembled voicemail notifications and included a PDF attachment with a QR code directing the recipients to a Microsoft 365 phishing page, which is designed to steal users’ credentials.

How to protect your organization from Direct Send exploits?

Varonis has detailed a couple of recommendations to help organizations protect themselves against phishing attacks that exploit Microsoft 365’s Direct Send feature. Administrators should enable “Reject Direct Send” in the Exchange Admin Center as well as enforce strict DMARC policies and email security controls.

Additionally, organizations should limit which IP addresses or devices are allowed to send emails through their Microsoft 365 smart host. Moreover, it’s advised to create rules that flag or block emails that appear to come from internal addresses but originate from external IPs. Administrators should also use security tools to detect anomalies like internal emails sent from unusual IP addresses.

Lastly, administrators should enforce a static IP address in the SPF record to prevent unauthorized senders from spoofing their domain to send phishing emails. Moreover, it’s highly recommended to regularly review Microsoft 365 email settings, including connector configurations, transport rules, and authentication policies. Organizations should also educate employees about the use of MFA and conditional access policies to block phishing attacks.