Direct Send phishing exploits an unauthenticated submission path in Microsoft 365 that allows any internet host to deliver email appearing to originate from your own domain. Because the message never passes through a third-party Secure Email Gateway, it bypasses SPF, DKIM, and DMARC controls - making it one of the hardest internal phishing variants to detect.
In Q3 and Q4 2025, Precursor's SOC observed Direct Send phishing campaigns targeting UK legal, conveyancing, and financial sector clients - every case involved emails that bypassed Mimecast undetected because the message was submitted directly to Exchange Online's MX record, never touching the customer's third-party gateway. Microsoft's 2024 Digital Defense Report recorded over 600 million cyberattacks per day against its cloud customers, with phishing remaining the leading initial access vector.
These attacks exploit internal delivery pathways to achieve higher success rates than conventional spoofing because the sending IP is Microsoft's own infrastructure, which is authorised in the victim domain's SPF record.
- Direct Send phishing in M365 allows attackers to bypass secure email gateways, making it a prime method for internal phishing in M365 and fraud like payroll scams.
- SOC monitoring for Direct Send exploitation enables real-time anomaly detection.
- Common Direct Send fraud emails use subject lines like "Payroll Update - MM/DD/YYYY".
- Implementing
RejectDirectSendvia PowerShell and enforcing authentication can significantly reduce risks associated with Direct Send abuse, and forms part of a broader M365 phishing protection posture for enterprise organisations.
What Is Direct Send Phishing and Why Does It Bypass M365 Security?
What is Direct Send?
Direct Send is a feature in Microsoft Exchange Online that allows devices and applications - such as scanners, multi-function printers, line-of-business applications, and monitoring tools - to send emails directly to recipients without authenticating against the sending domain. While this is a legitimate and widely used mechanism for internal IT infrastructure, the feature presents a significant risk surface when left unrestricted: any host on the internet can connect to the Exchange Online MX endpoint and submit mail as your domain with no credentials required.
How it Differs From Traditional Spoofing?
Unlike traditional email spoofing, which forges external emails and is commonly caught by SPF checks on the sending IP address, Direct Send phishing exploits internal delivery paths. The envelope sender is the victim's own domain, and the message originates from Microsoft's own IP ranges - which are authorised in the domain's SPF record. This allows attackers to bypass SPF, DKIM (RFC 6376), and DMARC (RFC 7489) entirely (SPF - RFC 7208), making detection harder. In penetration testing Direct Send scenarios, high success rates are achieved precisely because the message looks entirely legitimate to the receiving mail client.
A concrete contrast: a traditionally spoofed email sent from an attacker-controlled external server will typically fail SPF because the sending IP does not match the victim domain's SPF record - most Secure Email Gateways will quarantine or reject it. A Direct Send phishing email submitted to the Exchange Online MX endpoint passes SPF (Microsoft's IPs are authorised), carries no DKIM signature (but DMARC does not fail on a missing signature alone if SPF aligns), and never touches the customer's perimeter gateway at all.
Despite Google and Yahoo mandating minimum DMARC records for bulk senders from February 2024, enforcement-level policies (p=quarantine or p=reject) remain the minority globally - and even full DMARC enforcement does not protect against Direct Send attacks, because messages originate from Microsoft's own authorised IP ranges.
| Attribute | Traditional Email Spoofing | Microsoft 365 Direct Send |
|---|---|---|
| Authentication required | None - attacker forges sender headers from external infrastructure | None - sender connects directly to Exchange Online MX; Exchange Online accepts anonymous Simple Mail Transfer Protocol (SMTP) |
| SPF / DKIM / DMARC bypass | No - SPF checks the sending IP against the domain's SPF record; forged external senders typically fail SPF | Yes - the envelope sender is the victim's own domain, and the message originates from Microsoft's own IP ranges, which are authorised in the domain's SPF record |
| Passes through third-party SEG | Depends - inbound mail routed via SEG will inspect it, but Exchange Online phishing bypass is possible if the MX record points directly to Exchange Online | Yes - Direct Send connects to the Exchange Online MX endpoint directly, bypassing any third-party Secure Email Gateway (SEG) (Mimecast, Proofpoint Essentials, etc.) that routes inbound mail |
| Visible to Exchange Online Protection | Yes - EOP inspects inbound mail and may flag suspicious senders | Partially - EOP accepts the submission as anonymous but the message lacks a DKIM signature; X-MS-Exchange-Organization-AuthAs: Anonymous header is present and detectable |
| Detection method | SPF/DKIM/DMARC failure; external sender domain mismatch | Header analysis: presence of X-MS-Exchange-Organization-AuthAs: Anonymous with an internal envelope sender; no DKIM signature on message claiming internal origin |
| Recommended remediation | Enforce DMARC p=reject; ensure SPF record is accurate | Enable RejectDirectSend via Set-OrganizationConfig -RejectDirectSend $true; implement transport rules blocking anonymous-auth internal senders |
How Cybercriminals Exploit Direct Send
Attackers abuse poorly secured or misconfigured Direct Send pathways to:
- Send phishing emails that appear internal - Messages seem to originate from the same corporate domain, adding credibility.
- Bypass traditional defences - Malicious emails can sneak past inline email security solutions.
- Deliver malicious payloads - Often includes credential-harvesting links, fake invoice documents, or malware-laced attachments.
Subject Lines Precursor SOC Has Observed
Precursor monitors various email security appliances and solutions across various sectors and organisations in the UK and EMEA. The following subject lines were observed by Precursor SOC across UK legal, conveyancing, and financial sector clients in Q3-Q4 2025. We have observed the following subject lines used to elicit fraudulent responses:
- Payroll Update - MM/DD/YYYY
- Mortgage Funds Release/MM/DD/YYYY
- Completion Funds Transfer/MM/DD/YYYY
- BACS (Bankers' Automated Clearing Services) Payment Authorisation/MM/DD/YYYY - particularly prevalent among payment-processing and professional services firms
From further intelligence research, Precursor also highlights that this is a continued trend in a similar campaign identified by Proofpoint (Attackers Abuse M365 for Internal Phishing, Proofpoint, 2025).
Direct Send emails do not traverse Mimecast.
According to the FBI's 2023 Internet Crime Report (published May 2024), Business Email Compromise - the fraud category that Direct Send phishing directly enables - cost organisations $2,946,830,270 (approximately $2.9 billion) in 2023 alone, across 21,489 reported complaints.
Exploitation Techniques
- Attacker connects straight to your tenant's MX and speaks Simple Mail Transfer Protocol (SMTP).
- Exchange Online accepts the message as unauthenticated "Direct Send."
- Third-party gateways are bypassed when mail goes direct to Exchange Online.
- The user sees a message that looks internal, which raises trust.
Recommended Actions
- Enable "Reject Direct Send" (review if this is required anywhere first)
- To enable the Reject Direct Send feature, Exchange Online Administrators can run the following PowerShell:
Set-OrganizationConfig -RejectDirectSend $true
- Enforce email authentication (SPF, DKIM, DMARC) with strict DMARC reject and SPF hard fail policies.
- Review if your email security solution has visibility of Direct Send emails.
- Monitor for suspicious email subject lines and escalate awareness of fraud emails.
Here's a PowerShell code snippet to audit and secure Direct Send:
#Connect to Exchange Online
Connect-ExchangeOnline -UserPrincipalName admin@yourdomain.com
#Check and enable Reject Direct Send
Get-OrganizationConfig | Select RejectDirectSend
Set-OrganizationConfig -RejectDirectSend $trueFor M365 cloud security services and configuration review, see Cloud Security Services - Precursor Security.
SOC Monitoring and Detection Strategies
For Direct Send, message headers will show the message was accepted anonymously by EOP, for example X-MS-Exchange-Organization-AuthAs: Anonymous. A practical hunting approach in Defender for Office 365 is to query messages where SenderMailFromAddress matches your own domains and the auth context shows anonymous submission.
Three additional detection approaches that Precursor SOC applies across client environments:
1. KQL query for Defender Advanced Hunting
Target SenderMailFromAddress matching your accepted domains combined with an anonymous auth context to surface Direct Send phishing emails for phishing detection in Microsoft 365:
EmailEvents
| where SenderMailFromDomain in ("yourdomain.com")
| where AuthenticationDetails has "dkim=none" or AuthenticationDetails has "dmarc=none"
| where NetworkMessageId != ""
| project Timestamp, SenderMailFromAddress, RecipientEmailAddress, Subject, AuthenticationDetails2. EOP transport rule - flag anonymous-auth internal senders
Create a transport rule in Exchange Online that matches messages where X-MS-Exchange-Organization-AuthAs equals Anonymous and the sender domain matches your accepted domains. Apply an action to prepend a warning subject tag (e.g., [UNVERIFIED SENDER]) or route to quarantine pending review. This provides a real-time control layer for SOC email security monitoring when RejectDirectSend cannot yet be enabled across the entire tenant.
3. Retrospective hunting in the Unified Audit Log
If RejectDirectSend was not enabled at the time of a suspected campaign, the Unified Audit Log can be searched retrospectively for messages delivered with the anonymous auth header. In the Microsoft Purview compliance portal, search mail flow logs for messages received from Exchange Online MX endpoints where the sender domain matches your own and no DKIM signature is present. This is how Precursor SOC identifies historical exposure before the remediation control is in place.
Precursor SOC Detection: UK Financial Sector Campaign
In Q4 2025, Precursor SOC identified a Direct Send phishing campaign targeting a UK-based financial services firm. The attacker submitted emails directly to the firm's Exchange Online MX endpoint using the firm's own domain in both the P1 envelope sender and the header From address - bypassing the firm's Mimecast gateway entirely, as Direct Send emails do not traverse third-party gateways. The emails used BACS payment subject lines formatted to resemble internal finance team communications, and were indistinguishable from legitimate internal mail in the recipient's inbox view.
Precursor SOC detected the campaign through header analysis: every message carried X-MS-Exchange-Organization-AuthAs: Anonymous combined with an internal envelope sender and no DKIM signature - a pattern that does not occur on legitimately sent internal mail. The affected messages were quarantined retrospectively via Unified Audit Log hunting, RejectDirectSend was enabled at the tenant level, and targeted user awareness communications were issued to the finance team. The entire detection-to-remediation cycle was completed within one working day.
Relevant Links
- Introducing More Control Over Direct Send in Exchange Online - Microsoft Tech Community, 2025
- Cloud Security Services - Precursor Security
- Security Operations Centre - Precursor Security
Conclusion
Defending against Direct Send phishing requires three complementary controls applied in sequence. Enabling RejectDirectSend closes the unauthenticated submission path at the tenant level. Header-based hunting in Defender for Office 365 catches any messages that slip through before the control is in place - or from tenants where Direct Send must remain open for legitimate devices. SOC monitoring provides the continuous visibility layer that ensures neither of the first two controls develops a blind spot. Organisations that apply only one of these layers remain exposed; the combination is what makes Direct Send phishing detectable and blockable. Contact Precursor SOC to assess your M365 configuration and establish managed SOC phishing detection across your Exchange Online environment.
Frequently Asked Questions
1. What is Direct Send phishing in M365?
Direct Send phishing exploits M365's feature to send internal-looking emails, enabling M365 Direct Send exploitation and bypassing inline email controls.
2. Why use SOC monitoring to detect Direct Send exploitation?
It provides real-time detection of anomalies in Direct Send traffic, enhancing security operations, detecting exploitation and responding to attacks before an effect can be caused.