Microsoft 365 Direct Send Exploited: How Phishing Emails Masquerade as Internal Messages

Phishing has long been a favored weapon of cybercriminals, but a recent revelation about Microsoft 365’s Direct Send feature has elevated the threat to a new level—from inside the firewall. Designed for internal systems to send notifications without authentication, Direct Send can be abused by malicious actors to spoof emails that appear to originate from trusted internal sources. Without compromising a single user account, attackers can craft phishing messages that bypass standard defenses like DMARC and SPF, exploiting an organization’s own email infrastructure against it.

In this episode, we dive deep into how this vulnerability is being exploited, why it remains a blind spot in many organizations’ security architectures, and how to effectively defend against it. Drawing on insights from security researchers and real-world abuse cases, we explore the technical mechanics and organizational gaps that make this attack vector so potent.

What you’ll learn:

• How Microsoft 365’s Direct Send works—and why it lacks proper authentication controls
• The mechanics of the exploit: Using PowerShell and smart host predictability to impersonate internal users
• Why SPF, DKIM, and DMARC checks fail to stop these spoofed internal emails
• Header and behavioral indicators that reveal Direct Send abuse in action
• The critical role of DMARC policy enforcement (moving from monitoring to reject mode)
• Best practices to disable or restrict Direct Send usage without disrupting hybrid Exchange environments
• How attackers leverage trusted internal appearances to gain user trust and credentials
• Broader email security protocols—SPF, DKIM, and DMARC—and how they function together
• The importance of phishing-resistant MFA, continuous user training, and strong password policies
• How small and medium businesses can close these gaps even without large cybersecurity teams

This case serves as a stark reminder: cybercriminals are constantly looking for ways to subvert legitimate features in everyday software. Without holistic security strategies, including behavioral analysis and protocol enforcement, even built-in functionality can become a backdoor for credential theft, malware deployment, and lateral movement within corporate networks.