September 4, 2025

Preventing Direct Send Phishing in M365 - Penetration Testing, SOC, and MDR Strategies

Precursor’s Security Operations Centre has observed a growing trend of attackers exploiting the Direct Send feature in Microsoft 365, making phishing emails look like they were sent from trusted internal accounts.

Get Your 'Vulnerability Management Template' FREE!‍

Your Vulnerability Management Template Includes:

  • Full Vulnerability Identification Process Documents
  • Easy to Follow Process Diagrams
  • System and Data Criticality Definitions
  • Vulnerability Triage Process
  • Remediation Allocation Process
  • Root Cause Analysis Process

Secure your organisation today by completing the form for your Vulnerability Management Template.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Download the, 'How to secure Microsoft Office Desktop Deployments Technical Guide' - FREE

  • 15 Technical Controls to help secure your users and keep your business safe.
  • 100’s of reference group policy objects to implement the controls
  • Reference material to learn more about each control

Complete the form to download your free technical guide and secure your organisation today.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Download the Cyber Essentials Template Policy Pack - FREE

Complete the form to download your FREE Cyber Essentials Template Pack today, including:

  • User Management Policy
  • Patch Management Policy
  • Mobile Device Management Policy
  • Information Security Policy
  • Device Build Policy
  • Credential Management Policy
  • Account Usage Policy
  • Registers for all of the above policies

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Download the Microsoft 365 Security Guide  - FREE

Complete the form to download your FREE Microsoft 365 Security Guide today, including:

  • A checklist to ensure your organisation is protected.
  • Top tips you can distribute to employees to keep your data safe.
  • Recommended secure configuration settings for your environment.

Sign up on the form and receive the guide instantly.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Introduction

Direct Send phishing in M365 has emerged as a highly concerning threat vector.Cybercriminals are exploiting Microsoft 365's Direct Send feature to send emails that appear to originate from internal sources, bypassing critical protections such as email filtering. This M365 Direct Send exploitation enables fraud such as fake invoices, payroll scams, and credential theft, often evading traditional defences such as secure email gateways. Unlike standard spoofing, these attacks leverage internal pathways for higher success rates.

This guide explores penetration testing Direct Send vulnerabilities, SOC monitoring Direct Send for real-time alerts, and MDR detection Direct Send phishing strategies to protect your organisation

Key Takeaways

• Direct Send phishing in M365 allows attackers to bypass secure email gateways making it a prime method for internal phishing M365 and fraud like payroll scams.

• SOC monitoring for Direct Send exploitation enables real-time anomaly detection.

• Common Direct Send fraud emails use subject lines like "Payroll Update – MM/DD/YYYY".

• Implementing Reject Direct Send viaPowerShell and enforcing authentication can significantly reduce risks associated with Direct Send abuse.

What is Direct Send?

Direct Send is a feature in Microsoft Exchange Online that allows devices and applications (like scanners, multi-function printers, or business software) to send emails directly to recipients without authentication against the sending domain. While useful for business operations, this pathway can be misused if not tightly controlled.

How it Differs From Traditional Spoofing?

Unlike traditional spoofing, which forges external emails, Direct Send phishing exploits internal delivery paths. This allows attackers to bypass SPF DKIM DMARC entirely, making detection harder. In penetration testing Direct Send scenarios, high success rates are achieved.

How Cybercriminals Exploit Direct Send

Attackers abuse poorly secured or misconfigured Direct Send pathways to:

• Send phishing emails that appear internal – Messages seem to originate from the same corporate domain, adding credibility.

• Bypass traditional defences – malicious emails can sneak past inline email security solutions.

• Deliver malicious payloads – Often includes credential-harvesting links, fake invoice documents, or malware-laced attachments.

Subject lines Precursor SOC have observed

Precursor monitor various e-mail security appliances and solutions across various sectors and organisations in the UK & EMEA. We have observed the following subjects utilised to illicit fraud:

  • Payroll Update – MM/DD/YYYY
  • Mortgage Funds Release/MM/DD/YYYY
  • Completion Funds Transfer/MM/DD/YYYY
  • BACS Payment Authorisation/MM/DD/YYYY

From further intelligence research, Precursor also highlight that this is a continued trend in a similar campaign identified by Proofpoint.

It should also be noted that Direct Send e-mails do not traverse Mimecast.

Exploitation Techniques

1.       Attacker connects straight to your tenant’s MX and speaks SMTP.
They target the Exchange Online Protection MX for your domain, for example contoso-com.mail.protection.outlook.com,and set the envelope sender (P1 Mail From) and header From to your accepted domain, for example ceo@contoso.com.No credentials. No DKIM. This is the classic “Direct Send” submission path that Microsoft documents for printers and apps, and it is unauthenticated by design.

2.       Exchange Online accepts the message as unauthenticated “Direct Send.”
Direct Send exists for devices and apps to send to your internal recipients without logging in. Microsoft’s recent guidance emphasises that Direct Send is specifically “anonymous messages sent from your own domain to your organisation’s mailboxes,” and that the domain evaluated is the P1 envelope sender.

3.       Third-party gateways are bypassed when mail goes direct to Exchange Online.If anyone on the internet connects to your Microsoft MX directly, the message does not pass through a perimeter SEG you might have in front of a different MX. This bypass scenario has been known for years and is why Microsoft and practitioners recommend controls inside Exchange Online as well.

4.       The user sees a message that looks internal, which raises trust.
Recent campaigns abuse Direct Send to deliver messages that appear to come from colleagues or shared internal addresses. Vendors have reported widespread use of this method in July and August 2025, with messages often landing in Junk or Inbox depending on policy.

Recommended Actions

  • Enable “Reject Direct-Send” (Review if this is required anywhere first)
    • To enable the Reject Direct Send feature,Exchange Online Administrators can run the following PowerShell:
      • § Set-OrganizationConfig -RejectDirectSend $true
  • Enforce email authentication (SPF, DKIM, DMARC)with strict DMARC reject and SPF hard fail policies.
  • Review if your e-mail security solution has visibility of Direct Send e-mails.
  • Monitor for suspicious email subject lines and escalate awareness of fraud e-mails.

Here's a PowerShell code snippet to audit and secure Direct Send:

#Connect to Exchange Online

Connect-ExchangeOnline -UserPrincipalName admin@yourdomain.com

 

#Check and enable Reject Direct Send

Get-OrganizationConfig | Select RejectDirectSend

Set-OrganizationConfig -RejectDirectSend $true

SOC Monitoring and Detection Strategies

For Direct Send, message headers will show it was accepted anonymously by EOP, for example X-MS-Exchange-Organization-AuthAs: Anonymous. A practical hunting approach in Defender for Office 365 is to query messages where SenderMailFromAddress matches your own domains and the auth context shows anonymous submission.

Relevant Links

Conclusion

Direct Send phishing in M365 is a serious threat, organisations can effectively counter M365 Direct Send exploitation by disabling direct send and retrospectively hunting for emails with AuthAs headers of Anonymous.

Protect your M365 environment around the clock. Contact Precursor SOC.

FAQ

1. What is Direct Send phishing in M365?

  Direct Send phishing exploits M365's feature to send internal-looking emails, enabling M365 Direct Send exploitation and bypassing in-line email controls.

 

2. Why use SOC monitoring to detect Direct Send exploitation?

  It provides real-time detection of anomalies in Direct Send traffic, enhancing security operations, detecting exploitation and responding to attacks before an effect can be caused.

Ready for a true 24x7 cyber risk management solution from a CREST-Accredited SOC?

Get Your CREST 'What is a Security Operations Centre?' Guide!

It’s important to know what you’re getting, what’s not included and what else is available. This starts with understanding a SOC and it’s critical functions. CREST has recently published a guide to the critical functions of a SOC which aligns with the CREST SOC standard.

Enter your details here and to get the complete guide instantly sent to your inbox.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Why choose us?

Choose Precursor Security for penetration testing excellence—where industry-leading expertise, CREST accreditation, and a client-focused approach converge to fortify your digital defences with precision and reliability.

Written by

Precursor Security

Welcome to Precursor Security, where the forefront of cybersecurity and penetration testing expertise meets unmatched dedication and innovation. We are the architects of robust digital defences, committed to safeguarding the online realm.

menu