Microsoft 365 Direct Send Abuse Phishing Campaign
Arctic Wolf has recently identified a widespread phishing campaign exploiting Microsoft 365’s Direct Send feature, which allows emails to be sent internally without authentication.
Threat actors are using this feature to send spoofed emails that appear to originate from internal domains, often impersonating the user themselves. These emails frequently contain PDFs embedded with phishing QR codes (quishing) and are routed through Microsoft infrastructure to bypass common email security controls. To mitigate these risks, Arctic Wolf recommends enabling the ‘Reject Direct Send’ option in the Exchange Admin Center, avoiding engagement with unsolicited emails and attachments, and ensuring Multi-Factor Authentication (MFA) is enabled across all user accounts.
Affected Products
- Microsoft 365: The campaign exploits the Direct Send feature of Microsoft 365, which allows emails to be sent internally without authentication.
- Exchange Online: The phishing emails are routed through Microsoft infrastructure, including Exchange Online, to bypass common email security controls.
Remediation
- Enable ‘Reject Direct Send’: Block unauthenticated internal emails in the Exchange Admin Center.
- Avoid Unsolicited Emails: Don’t engage with unexpected emails or attachments.
- Enable MFA: Use Multi-Factor Authentication for all user accounts. Block unauthenticated internal emails in the Exchange Admin Center.
For detailed information and technical details, visit Arctic Wolf’s blogpost on this topic.