Abuse of MS Direct Sent to send phishing emails

What Is Microsoft Direct Send – And How Hackers Abuse It

Microsoft 365 and Exchange Online power email for millions of businesses. Hidden within this system is a little-known feature called Direct Send. Originally designed to make life easier for IT teams managing printers, scanners, and legacy apps, it has now become a popular attack vector.

At SISA, our Sappers team has investigated multiple incidents where Direct Send was abused. In this blog, we’ll explain what Direct Send is, why organizations still rely on it, how attackers exploit it, and — most importantly — how you can defend against it.

What Is Microsoft Direct Send?

Direct Send is a Microsoft 365 feature that allows devices and applications (like printers or monitoring tools) to send email directly to recipients inside the same organization’s tenant — without authentication and without needing a licensed mailbox.

Instead of logging in with a username/password, the device uses the organization’s MX record (for example, yourdomain.mail.protection.outlook.com) to hand messages directly to Exchange Online.

Key point: Direct Send only works for internal delivery. Emails cannot be sent to external domains like Gmail or Yahoo.

Why Do Organizations Use Direct Send?

Even though it’s a legacy feature, Direct Send is still widely used because:

• Legacy devices and apps: Older printers, fax machines, or alerting tools cannot handle modern authentication.
• Simplicity: IT admins only need to configure the domain’s MX record, not create service accounts or connectors.
• Cost efficiency: No need to license a mailbox just for automated alerts or reports.

Why Not Just Turn It Off?

Disabling Direct Send is rarely straightforward:

• Business-critical workflows such as invoicing, system alerts, or notifications may break.
• Some Microsoft services and third-party integrations still depend on it.
• Until recently, Microsoft lacked easy controls to block it without collateral damage.
• Microsoft has now introduced “Reject Direct Send” as part of its roadmap, but adoption requires careful planning to avoid disrupting critical processes.

How Attackers Abuse Direct Send

Attackers exploit Direct Send by impersonating internal communications. With knowledge of a target domain and valid user addresses, they can inject spoofed messages through the Microsoft MX endpoint.

Because Direct Send operates within Microsoft’s infrastructure, these messages are treated as internal. This means SPF, DKIM, and DMARC don’t apply — giving attackers an advantage in bypassing standard email checks.

Common malicious payloads include fake IT alerts, HR notifications, or voicemail messages carrying malicious attachments, QR codes, or phishing links.

How to Defend Against Direct Send Abuse

Since disabling Direct Send outright is often not feasible, organizations need a layered strategy that combines configuration hardening with advanced detection.

1. Restrict Direct Send Usage

• Configure IP allowlists so only trusted devices or subnets can send via Direct Send.
• Maintain a clear inventory of all printers, scanners, and apps that rely on this feature.

2. Detection and Monitoring with SISA ProACT Agentic SOC

Traditional email defenses often miss Direct Send abuse because these messages look like legitimate internal traffic. This is where SISA ProACT’s Agentic SOC solution adds value.

Our UEBA (User and Entity Behavior Analytics) module is designed to detect anomalies such as:

• Emails sent from the same person to the same person(a strong indicator of spoofing attempts).
• Sudden spikes in email activity from a device or system that normally sends very little traffic.
• Behavioral deviations in internal communication patterns, highlighting potentially spoofed messages.

These advanced analytics help identify Direct Send abuse even when traditional tools fail.

3. Migration and Authentication Controls

• Begin migrating legacy devices to Authenticated SMTP or the Microsoft Graph API where possible.
• Apply Conditional Access policies to strengthen these modern alternatives (though Conditional Access does not apply to Direct Send itself).
• Disable SMTP AUTH across the tenant unless specifically required.

4. Harden Email Security Posture

• Apply mail flow rules to add banners or special tags for system-generated alerts, making it harder for spoofed Direct Send messages to blend in.
• Enforce attachment scanning and URL inspection for all internal emails, not just inbound mail from outside domains.

5. User Awareness and Response

• Train employees not to automatically trust messages that “look internal.”
• Encourage quick verification with IT/security teams when receiving unusual alerts.
• Conduct internal-style phishing simulations to help employees recognize spoofed system notifications.

Conclusion

Microsoft Direct Send was built for convenience, but today it is a security liability. SISA Sappers have seen firsthand how attackers exploit this feature to bypass traditional defences and deliver convincing phishing lures.

Organizations that still rely on Direct Send should:

• Audit and restrict its use,
• Strengthen monitoring through behavioural analytics,
• Begin migrating to modern alternatives, and
• Educate employees to recognize suspicious internal messages.

SISA ProACT Agentic SOC goes beyond traditional defences by using UEBA-driven detection to surface anomalies that Microsoft’s native controls may miss. By combining behavioural analytics with proactive monitoring, our clients can close this blind spot and stay ahead of attackers.