Direct Send Vulnerability: What Microsoft Users Need to Know
- Read time: 5 mins.
- Contributions: HBS SOC Team
The HBS Security Operations Center (SOC) spends a lot of time in security alerts. Over the past few months, one pattern has been showing up across client environments more than anything else: phishing emails that look like they came from inside the organization, arriving without a single compromised account.
The culprit is a Microsoft 365 feature called Direct Send. It was built for printer and internal applications to easily email users without requiring sender authentication. Attackers have turned it into a phishing delivery mechanism that bypasses most of what organizations have put in place to protect their inboxes.
Allow us to walk you through what we’re seeing, how it works and what you should do about it.
What Is Direct Send?
Direct Send is a legitimate Microsoft 365 feature that allows devices and applications like printers, scanners, HR platforms and ticketing systems, to send email within a Microsoft 365 tenant without authenticating. It uses a smart host address in this format:
tenantname.mail.protection.outlook.com
That endpoint accepts messages destined for your domain even when they don’t come through your standard mail exchange route. For internal devices and tools that need to send notifications, it can be very convenient, but for attackers, it’s been an open door.
The reason attackers have been especially apt to attack this way is because the direct send vulnerability requires almost nothing to exploit.
Smart host addresses follow a predictable format, and internal email addresses can often be scraped from LinkedIn, company websites, or prior data breaches, so identifying a target is super simple.
Once an attacker has the domain and a valid recipient, they can send a spoofed email that appears to come from inside the organization with no account compromise, no credential theft, and no malware required.
Because the message routes through Microsoft’s own infrastructure, it often bypasses security controls built to catch external threats. That combination of low effort and high believability is what makes this one of the most common attack vectors we’re dealing with right now.
Common Lures Used in Direct Send Phishing Campaigns
Across industry documented campaigns, and from what we have experienced in the HBS SOC, attackers have favored a consistent set of social engineering themes. These subject lines and attachment names are designed to trigger urgency and lower suspicion, especially when the email appears to come from inside the organization.
| IPs to Watch For: | ||
|---|---|---|
| 185.101.38.41 | 185.174.101.87 | 51.38.106.141 |
| 141.95.79.227 | 45.83.43.192 | 176.107.181.26 |
| 176.107.181.26 | 163.5.149.5 | 83.229.70.9 |
| 62.90.188.108 | 212.95.55.172 | 51.89.53.34 |
| 38.22.104.236 | 51.38.109.135 | 51.89.109.70 |
| 51.195.53.217 | 139.28.36[.]230 | |
| Subject Lines to Watch For: |
|---|
| Caller Left VM Message * Duration |
| Fax-msg mm/dd/yyyy, hh:mm:ss AM/PM (2 Pages) RefID: XXXX |
| New Missed Fax-msg |
| New Missed Fax-Msg (2 pages) |
| You have received a new (2 pages) *Fax-Msg* to email@**** |
| Fax Received: Attached document for review REF |
| Wireless Caller Left Vm |
| Attachment Names to Watch For: |
|---|
| Fax-msg |
| Caller left VM Message |
| Listen |
| Wireless Caller Left Vm |
| A Caller Left VM MSG * DURATION |
If you receive anything matching these patterns treat it as suspicious until proven otherwise.
What to Do About Direct Send Abuse
Turn off Direct Send.
This is our number one recommendation, and obviously the most effective. If your organization does not actively rely on Direct Send for legitimate purposes, just disable it. The risk is not worth the convenience.
How to Turn Off Direct Send
In the Exchange Admin Center, you can enable the ‘Reject Direct Send’ setting to block this attack vector entirely. If you do have internal systems that depend on Direct Send, document them and explore authenticated alternatives like SMTP relay or client submission.
Other steps to prevent Direct Send phishing are:
- Implementing a strict DMARC policy
Set your DMARC policy to p=reject. This tells receiving mail servers to reject messages that fail SPF and DKIM checks, rather than delivering them. A strict DMARC policy is one of the most effective tools available for stopping spoofed email, including messages sent via Direct Send abuse. - Flag all unauthenticated internal emails
Configure your email security to quarantine or flag messages that appear to come from your domain but fail authentication checks. These messages should never reach the inbox without review. - Enforce SPF hardfail within Exchange Online Protection
Exchange Online Protection (EOP) supports SPF hardfail enforcement which instructs EOP to treat messages that fail SPF checks as suspicious. Pair this with a locked-down SPF record that specifies authorized sending sources. - Enable anti-spoofing policies
Microsoft 365 includes built-in anti-spoofing protection within Defender for Office 365. Make sure these policies are active and configured to catch internal domain spoofing. Review your allowed senders list because attackers often exploit overly permissive exceptions.
And while not specifically about Direct Send prevention, it is always a great idea to educate your users on QR code phishing (quishing) dangers, while also enforcing MFA and conditional access policies.
How to Detect Direct Send Exploitation
In message headers:
- Look for Received headers showing external IP addresses routed through your smart host.
- Check authentication results for SPF softfail or hardfail, missing DKIM signatures, and DMARC failures on messages claiming to be from your domain.
- Verify that the X-MS-Exchange-CrossTenant-Id matches your actual tenant ID.
In behavioral signals:
- Users sending email to themselves, particularly with identical From and To addresses.
- PowerShell listed as the user agent in email activity logs.
- Email activity originating from unexpected IP addresses, foreign geolocations, or known VPN infrastructure.
- Alerts for abnormal geolocation activity with no corresponding login events.
Direct Send Concerns? HBS Can Help
Direct send abuse is a threat that’s easy to miss until it lands in the wrong inbox. Our security team monitors for exactly this kind of attack pattern: unusual email activity, authentication anomalies, spoofed internal addresses, across client environments every day.
With HBS Managed XDR, you get continuous threat detection and response that covers your email environment alongside your endpoints, identities, and cloud workloads. If something like this is already happening in your environment, we’ll find it. If it hasn’t happened yet, we’ll make sure you’re not an easy target.
Have questions about Direct Send or want to explore your email security? Let’s talk.
Frequently Asked Questions
What is the direct send vulnerability in Microsoft 365?
Direct Send is a legitimate Exchange Online feature that allows devices and applications to send email without authentication. The vulnerability comes from how it can be abused: an attacker with your domain name and a valid recipient address can send spoofed emails that appear to come from inside your organization, without ever logging in or compromising an account.
Do I need to use Direct Send?
Most organizations don’t. Direct Send was designed for printers, scanners, and internal applications that can’t authenticate. If you don’t have a specific device or system relying on it, you can disable it without any impact to your standard email flow. If you’re not sure, an HBS specialist can help you check.
How do I turn off Direct Send in Microsoft 365?
In the Exchange Admin Center, you can enable the “Reject Direct Send” setting to block unauthenticated messages from being routed through your smart host. If you need help making that change or want to confirm it’s configured correctly, we can walk you through it.
Will DMARC alone stop a direct send attack?
A strict DMARC policy (p=reject) is one of the most effective controls you can implement, and it will block many direct send phishing attempts. But DMARC works best as part of a layered approach combined with SPF hardfail enforcement, anti-spoofing policies, and ideally disabling Direct Send altogether.
How do I know if my organization has already been targeted?
Check your email logs for messages sent from internal addresses with failed SPF, DKIM, or DMARC results. Look for email activity originating from unexpected IP addresses or foreign geolocations with no corresponding login events. PowerShell listed as the email user agent is another indicator. If you’re seeing any of these signals, contact our team.
Does MFA protect against this attack?
MFA does not prevent the phishing email from being delivered. Direct Send requires no account credentials to send. But MFA is a critical second layer of defense if a user clicks through and enters their credentials on a phishing site. Enforce MFA on all users and pair it with conditional access policies to limit the blast radius if credentials are stolen.
Related Content
Device Code Phishing Explained—And How to Protect Against It
Device code phishing uses real login pages and authentication codes to trick users into granting unauthorized access. Learn how to fight back.
Managed Security Awareness Training
Boost cybersecurity with Managed Security Awareness Training from HBS: Empower employees to combat phishing and enhance defense. Transform risk into strength.
Employee Responsibilities in Information Security
Employees are the first line of defense against cyber threats. Learn how targeted security awareness training and an employee security quiz can reduce risks, prevent social engineering attacks, and strengthen your organization’s security culture.
