Red Hot Cyber, The cybersecurity news

Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Select language
English Spanish Italian
Search

Microsoft 365 Under Attack: How Hackers Use Direct Send to Send Phishing Emails

Redazione RHC : 27 June 2025 08:08

A sophisticated phishing campaign that targeted over 70 organizations by exploiting Microsoft 365’s Direct Send feature. The campaign, which began in May 2025 and has shown steady activity over the past two months, primarily targets U.S.-based organizations across multiple industries and locations.

This new attack method, Varonis researchers report, allows threat actors to impersonate internal users and deliver phishing emails without having to compromise an account, bypassing traditional email security controls that typically examine external communications. What makes this attack particularly concerning is that it exploited a little-known Microsoft 365 feature that was designed for legitimate internal communications but lacked adequate authentication protections.

In these attacks, threat actors use M365’s Direct Send feature to target individual organizations with messages phishing scams that receive much less rigorous scrutiny than regular inbound email. Direct Send is a feature in Exchange Online designed to allow internal devices such asprinters and applications to send email within a Microsoft 365 tenant without requiring authentication. The feature uses a smart host with a predictable format: tenantname.mail.protection.outlook.com.

The critical security flaw is the complete lack of authentication requirements. Attackers need only a few publicly available details to execute their campaigns: the target organization’s domain and valid recipient addresses. The Varonis forensics team observed attackers using PowerShell commands to send spoofed emails via the smart host. These emails appear to come from legitimate internal addresses despite being sent by unauthenticated external actors.

The attack process is remarkably simple. Once threat actors identify the valid domain and recipients, they can send spoofed emails that appear to come from inside the organization without ever logging in or entering the tenant. This simplicity makes Direct Send an attractive, low-effort vector for sophisticated phishing campaigns.

Redazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli
Categories
Banner
Redhotcyber is an open-news project that was launched in 2019 and subsequently expanded into a network of individuals collaborating to disseminate information and topics focused on technology, Information Technology, and cybersecurity. Its goal is to increase risk awareness among an ever-growing number of people.

Editorial board : [email protected]

Facebook Linkedin Youtube Telegram Twitter Pinterest Tumblr