Protect Your Microsoft 365 Tenant from New “Direct Send” Phishing Threat

A new phishing technique is actively being used to exploit a Microsoft 365 feature called Direct Send, originally designed to allow internal devices (like printers or scanners) to send emails without authentication.

Since May 2025, attackers have been using this feature to spoof internal-looking emails and bypass standard security measures.

What’s Happening

Over 70 organisations (primarily in the U.S. across multiple sectors) have already been affected. We're now seeing signs of this attack emerging in Australia.

No account compromise is required. All that’s needed is your domain and a valid recipient email address.

This technique also bypasses your external mail filters like Mimecast, Barracuda and Proofpoint.
Attackers use PowerShell scripts and public IPs to send spoofed emails. These often contain PDF attachments or QR codes designed to steal credentials.

Why This Threat Is Dangerous

Messages bypass SPF, DKIM, and DMARC, even when failing validation.

Emails are routed through Microsoft itself, making them appear as internal messages.

Social engineering tactics include familiar or inviting internal-style subjects like:

• "Missed Fax Message”
• “Voicemail Alert”
• "Pay Benefit Disbursement"
  
  These often include clickbait PDFs or malicious QR codes that trick users into credential theft.

What You Should Do

Disable Direct Send, unless absolutely necessary.

Strictly enforce SPF, DKIM & DMARC with reject policies within Microsoft 365, not just third-party mail filters.

If needed, restrict IP addresses allowed to use Direct Send via smart host configurations.

Educate staff on phishing tactics, especially the rising threat of QR code phishing (“quishing”).

How Huon IT Can Help

We recommend reviewing your tenant’s exposure and strengthening your defenses. Our support may include:

• Enforcing SPF hardfail within Exchange Online Protection (EOP)
• Custom email transport rules and detection logic to quarantine suspicious internal-style emails
• Monitoring infrastructure for anomalous smart-host activity, geolocation mismatches, and suspicious sign-ins
• Security awareness training focused on credential theft tactics such as QR-based phishing

Want to Review Your Microsoft 365 Security Posture?

If you’d like to book a quick review of your environment, we’d be happy to help implement tailored controls that reduce your risk.
 
Contact us today to schedule a consultation:
📞 1300 4866 73
📧 help@huonit.com.au

Thank you for taking steps to protect your users, systems, and data.