Precursor SOC detects Microsoft Direct Send Phishing

Introduction

Threat actors are increasingly exploiting a feature in M365, Direct Send, this allows phishing emails to appear to come from internal users, enabling invoice, payroll and conveyancing fraud. By abusing Direct Send, attackers can bypass common email authentication controls (SPF, DKIM, DMARC) and directly drop malicious messages into inboxes, increasing the likelihood of credential theft, data loss and fraud.

Note that this is different from typical “spoofing”.

What is Direct Send?

Direct Send is a feature in Microsoft Exchange Online that allows devices and applications (like scanners, multi-function printers, or business software) to send emails directly to recipients without authentication against the sending domain. While useful for business operations, this pathway can be misused if not tightly controlled.

How Cybercriminals Exploit It

Attackers abuse poorly secured or misconfigured Direct Send pathways to:

• Send phishing emails that appear internal – Messages seem to originate from the same corporate domain, adding credibility.

• Bypass authentication checks – Since Direct Send doesn’t enforce SPF/DKIM/DMARC, malicious emails can sneak past filtering solutions.

• Deliver malicious payloads – Often includes credential-harvesting links, fake invoice documents, or malware-laced attachments.

Subject lines Precursor SOC have observed

Precursor monitor various e-mail security appliances and solutions across various sectors and organisations in the UK & EMEA. We have observed the following subjects utilised to illicit fraud:

• Payroll Update – MM/DD/YYYY
• Mortgage Funds Release/MM/DD/YYYY
• Completion Funds Transfer/MM/DD/YYYY
• BACS Payment Authorisation/MM/DD/YYYY

From further intelligence research, Precursor also highlight that this is a continued trend in a similar campaign identified by Proofpoint.

It should also be noted that Direct Send e-mails do not traverse Mimecast.

Recommended Actions

• Enable “Reject Direct-Send” (Review if this is required anywhere first)
  
  • To enable the Reject Direct Send feature,Exchange Online Administrators can run the following PowerShell:
    
    • § Set-OrganizationConfig -RejectDirectSend $true
• Enforce email authentication (SPF, DKIM, DMARC)with strict DMARC reject and SPF hard fail policies.
• Review if your e-mail security solution has visibility of Direct Send e-mails.
• Monitor for suspicious email subject lines and escalate awareness of fraud e-mails.