Hackers Exploit Microsoft 365 Direct Send Feature in New Phishing Campaign
Cybercriminals have discovered a way to abuse a lesser-known Microsoft 365 email feature called “Direct Send” to carry out a new wave of phishing attacks, according to a report from BleepingComputer. The feature, typically used by on-premises devices like printers and scanners to send emails via an organization’s domain, has become a new vector for malicious actors targeting businesses.
Security firm Varonis reports that attackers are now leveraging Direct Send to deliver phishing emails that appear to originate from trusted internal sources. These messages often contain links to fake Microsoft login forms, designed to steal user credentials. Once a recipient enters their login details, they are harvested by the attackers, opening the door to potential data breaches and unauthorized access.
Since May 2025, the phishing campaign has compromised approximately 70 organizations, primarily located in the United States. The attack’s success relies heavily on Direct Send’s ability to impersonate official senders without proper security configuration.
While Microsoft maintains that Direct Send is secure when used correctly, the company emphasizes that the feature should only be implemented by experienced IT administrators. Improper configuration—particularly the failure to lock down the organization’s smart host—can leave email systems exposed to spoofing and misuse.
To help mitigate these risks, Microsoft introduced a new Exchange Admin Center setting in April 2025 called “Reject Direct Send.” This setting allows administrators to block unauthorized use of Direct Send, preventing exploitation in environments that don’t require the feature. Security experts recommend enabling this option unless Direct Send is absolutely necessary and properly secured.
