A sophisticated phishing campaign that targeted over 70 organizations by exploiting Microsoft 365’s Direct Send feature. The campaign, which began in May 2025 and has shown steady activity over the past two months, primarily targets U.S.-based organizations across multiple industries and locations.
This new attack method, Varonis researchers report, allows threat actors to impersonate internal users and deliver phishing emails without having to compromise an account, bypassing traditional email security controls that typically examine external communications. What makes this attack particularly concerning is that it exploited a little-known Microsoft 365 feature that was designed for legitimate internal communications but lacked adequate authentication protections.
In these attacks, threat actors use M365’s Direct Send feature to target individual organizations with messages phishing scams that receive much less rigorous scrutiny than regular inbound email. Direct Send is a feature in Exchange Online designed to allow internal devices such asprinters and applications to send email within a Microsoft 365 tenant without requiring authentication. The feature uses a smart host with a predictable format: tenantname.mail.protection.outlook.com.
The critical security flaw is the complete lack of authentication requirements. Attackers need only a few publicly available details to execute their campaigns: the target organization’s domain and valid recipient addresses. The Varonis forensics team observed attackers using PowerShell commands to send spoofed emails via the smart host. These emails appear to come from legitimate internal addresses despite being sent by unauthenticated external actors.
The attack process is remarkably simple. Once threat actors identify the valid domain and recipients, they can send spoofed emails that appear to come from inside the organization without ever logging in or entering the tenant. This simplicity makes Direct Send an attractive, low-effort vector for sophisticated phishing campaigns.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
