A new phishing technique is actively being used to exploit a Microsoft 365 feature called Direct Send, originally designed to allow internal devices (like printers or scanners) to send emails without authentication.
Since May 2025, attackers have been using this feature to spoof internal-looking emails and bypass standard security measures.
Over 70 organisations (primarily in the U.S. across multiple sectors) have already been affected. We're now seeing signs of this attack emerging in Australia.
No account compromise is required. All that’s needed is your domain and a valid recipient email address.
This technique also bypasses your external mail filters like Mimecast, Barracuda and Proofpoint.
Attackers use PowerShell scripts and public IPs to send spoofed emails. These often contain PDF attachments or QR codes designed to steal credentials.
Messages bypass SPF, DKIM, and DMARC, even when failing validation.
Emails are routed through Microsoft itself, making them appear as internal messages.
Social engineering tactics include familiar or inviting internal-style subjects like:
Disable Direct Send, unless absolutely necessary.
Strictly enforce SPF, DKIM & DMARC with reject policies within Microsoft 365, not just third-party mail filters.
If needed, restrict IP addresses allowed to use Direct Send via smart host configurations.
Educate staff on phishing tactics, especially the rising threat of QR code phishing (“quishing”).
We recommend reviewing your tenant’s exposure and strengthening your defenses. Our support may include:
If you’d like to book a quick review of your environment, we’d be happy to help implement tailored controls that reduce your risk.
Contact us today to schedule a consultation:
📞 1300 4866 73
📧 help@huonit.com.au
Thank you for taking steps to protect your users, systems, and data.