Precursor’s Security Operations Centre has observed a growing trend of attackers exploiting the Direct Send feature in Microsoft 365, making phishing emails look like they were sent from trusted internal accounts.
Get Your 'Vulnerability Management Template' FREE!
Your Vulnerability Management Template Includes:
Secure your organisation today by completing the form for your Vulnerability Management Template.
Download the, 'How to secure Microsoft Office Desktop Deployments Technical Guide' - FREE
Complete the form to download your free technical guide and secure your organisation today.
Download the Cyber Essentials Template Policy Pack - FREE
Complete the form to download your FREE Cyber Essentials Template Pack today, including:
Download the Microsoft 365 Security Guide - FREE
Complete the form to download your FREE Microsoft 365 Security Guide today, including:
Sign up on the form and receive the guide instantly.
Direct Send phishing in M365 has emerged as a highly concerning threat vector.Cybercriminals are exploiting Microsoft 365's Direct Send feature to send emails that appear to originate from internal sources, bypassing critical protections such as email filtering. This M365 Direct Send exploitation enables fraud such as fake invoices, payroll scams, and credential theft, often evading traditional defences such as secure email gateways. Unlike standard spoofing, these attacks leverage internal pathways for higher success rates.
This guide explores penetration testing Direct Send vulnerabilities, SOC monitoring Direct Send for real-time alerts, and MDR detection Direct Send phishing strategies to protect your organisation
• Direct Send phishing in M365 allows attackers to bypass secure email gateways making it a prime method for internal phishing M365 and fraud like payroll scams.
• SOC monitoring for Direct Send exploitation enables real-time anomaly detection.
• Common Direct Send fraud emails use subject lines like "Payroll Update – MM/DD/YYYY".
• Implementing Reject Direct Send viaPowerShell and enforcing authentication can significantly reduce risks associated with Direct Send abuse.
Direct Send is a feature in Microsoft Exchange Online that allows devices and applications (like scanners, multi-function printers, or business software) to send emails directly to recipients without authentication against the sending domain. While useful for business operations, this pathway can be misused if not tightly controlled.
Unlike traditional spoofing, which forges external emails, Direct Send phishing exploits internal delivery paths. This allows attackers to bypass SPF DKIM DMARC entirely, making detection harder. In penetration testing Direct Send scenarios, high success rates are achieved.
Attackers abuse poorly secured or misconfigured Direct Send pathways to:
• Send phishing emails that appear internal – Messages seem to originate from the same corporate domain, adding credibility.
• Bypass traditional defences – malicious emails can sneak past inline email security solutions.
• Deliver malicious payloads – Often includes credential-harvesting links, fake invoice documents, or malware-laced attachments.
Precursor monitor various e-mail security appliances and solutions across various sectors and organisations in the UK & EMEA. We have observed the following subjects utilised to illicit fraud:
From further intelligence research, Precursor also highlight that this is a continued trend in a similar campaign identified by Proofpoint.
It should also be noted that Direct Send e-mails do not traverse Mimecast.
1. Attacker connects straight to your tenant’s MX and speaks SMTP.
They target the Exchange Online Protection MX for your domain, for example contoso-com.mail.protection.outlook.com,and set the envelope sender (P1 Mail From) and header From to your accepted domain, for example ceo@contoso.com.No credentials. No DKIM. This is the classic “Direct Send” submission path that Microsoft documents for printers and apps, and it is unauthenticated by design.
2. Exchange Online accepts the message as unauthenticated “Direct Send.”
Direct Send exists for devices and apps to send to your internal recipients without logging in. Microsoft’s recent guidance emphasises that Direct Send is specifically “anonymous messages sent from your own domain to your organisation’s mailboxes,” and that the domain evaluated is the P1 envelope sender.
3. Third-party gateways are bypassed when mail goes direct to Exchange Online.If anyone on the internet connects to your Microsoft MX directly, the message does not pass through a perimeter SEG you might have in front of a different MX. This bypass scenario has been known for years and is why Microsoft and practitioners recommend controls inside Exchange Online as well.
4. The user sees a message that looks internal, which raises trust.
Recent campaigns abuse Direct Send to deliver messages that appear to come from colleagues or shared internal addresses. Vendors have reported widespread use of this method in July and August 2025, with messages often landing in Junk or Inbox depending on policy.
Here's a PowerShell code snippet to audit and secure Direct Send:
#Connect to Exchange Online
Connect-ExchangeOnline -UserPrincipalName admin@yourdomain.com
#Check and enable Reject Direct Send
Get-OrganizationConfig | Select RejectDirectSend
Set-OrganizationConfig -RejectDirectSend $true
For Direct Send, message headers will show it was accepted anonymously by EOP, for example X-MS-Exchange-Organization-AuthAs: Anonymous. A practical hunting approach in Defender for Office 365 is to query messages where SenderMailFromAddress matches your own domains and the auth context shows anonymous submission.
Direct Send phishing in M365 is a serious threat, organisations can effectively counter M365 Direct Send exploitation by disabling direct send and retrospectively hunting for emails with AuthAs headers of Anonymous.
Protect your M365 environment around the clock. Contact Precursor SOC.
1. What is Direct Send phishing in M365?
Direct Send phishing exploits M365's feature to send internal-looking emails, enabling M365 Direct Send exploitation and bypassing in-line email controls.
2. Why use SOC monitoring to detect Direct Send exploitation?
It provides real-time detection of anomalies in Direct Send traffic, enhancing security operations, detecting exploitation and responding to attacks before an effect can be caused.
Choose Precursor Security for penetration testing excellence—where industry-leading expertise, CREST accreditation, and a client-focused approach converge to fortify your digital defences with precision and reliability.
We have a CREST accredited Security Operations Centre and all of our penetration testers are CREST certified.
We are accredited to the highest of standards including CREST, ISO27001, ISO9001 and Cyber Essentials Plus.
![Experienced people icon]](https://cdn.prod.website-files.com/6569bb4bd6018f8bee273541/65c0fddfb82858785bf456d7_rating.png)
Our experts have a combined experience of over 30 years delivering security operations to sectors such as healthcare, financial services, aerospace and more.
It’s important to know what you’re getting, what’s not included and what else is available. This starts with understanding a SOC and it’s critical functions. CREST has recently published a guide to the critical functions of a SOC which aligns with the CREST SOC standard.
Enter your details here and to get the complete guide instantly sent to your inbox.
Choose Precursor Security for penetration testing excellence—where industry-leading expertise, CREST accreditation, and a client-focused approach converge to fortify your digital defences with precision and reliability.
We have a CREST accredited Security Operations Centre and all of our penetration testers are CREST certified.
We are accredited to the highest of standards including CREST, ISO27001, ISO9001 and Cyber Essentials Plus.
Our experts have a combined experience of over 30 years delivering security operations to sectors such as healthcare, financial services, aerospace and more.
Precursor Security
Welcome to Precursor Security, where the forefront of cybersecurity and penetration testing expertise meets unmatched dedication and innovation. We are the architects of robust digital defences, committed to safeguarding the online realm.
Sign up for the Precursor newsletter to receive valuable insights and strategies for safeguarding your organisation.
