Why Internal-Looking Emails Are Bypassing Your Security Controls

Microsoft 365 has become the backbone of communication and collaboration for countless businesses, including Small and Medium-sized Businesses (SMBs) in Houston. Its robust features are designed to enhance productivity and security. However, a lesser-known feature called ‘Direct Send’ is currently being actively exploited by phishing campaigns, allowing cybercriminals to send highly convincing, spoofed internal emails that bypass traditional security controls.

This is a critical concern because these emails appear to originate from within your organization, leveraging an inherent trust that can easily lead to credential theft, Business Email Compromise (BEC), or malware infection. It’s a new twist on an old threat, making your email inbox a more dangerous place.

Understanding Microsoft 365 ‘Direct Send’

‘Direct Send’ (also known as SMTP direct send) is a legitimate feature in Exchange Online (the email service within Microsoft 365) designed for specific internal uses. It allows devices and applications within a Microsoft 365 tenant to send emails without authentication.

Typical legitimate uses include:

• Printers, Scanners, and MFPs (Multi-Function Printers): Sending scanned documents directly to email addresses within the organization.
• Applications: Line-of-business applications sending automated notifications, reports, or alerts to internal users.
• On-premises Devices: Devices on your local network that need to send emails to Microsoft 365 mailboxes.

The key mechanism here is the use of a “smart host” (e.g., tenantname.mail.protection.outlook.com). Emails routed through this smart host are processed by Microsoft’s infrastructure and, crucially, are often treated as internal-to-internal traffic, which means they might be subject to less scrutiny than emails originating from completely external sources.

The Abuse: How Attackers Exploit ‘Direct Send’

Cybercriminals have discovered a way to abuse this lack of authentication and the “internal trust” it often implies. The attack is alarmingly simple yet highly effective:

1. Reconnaissance: Attackers identify an organization’s Microsoft 365 domain and a valid recipient email address within that domain. They can often obtain this information from public sources or previous data breaches.
2. Smart Host Identification: The smart host address follows a predictable pattern (tenantname.mail.protection.outlook.com), making it easy for attackers to guess or confirm.
3. Spoofed Internal Emails: Using tools like PowerShell, attackers send emails from an external IP address directly to the target organization’s smart host. They can spoof the “From” address to appear as any internal user within the target organization (e.g., your CEO, IT department, HR, or a colleague).
4. Bypassing Traditional Controls: Because the email is routed through Microsoft’s infrastructure and appears to originate from within the tenant (even though it came from an external, unauthenticated source), it can bypass traditional email security controls that typically focus on external sender reputation, SPF, DKIM, and DMARC checks. While these emails often fail SPF/DMARC, they are still accepted and delivered internally via the smart host due to its design for internal-only, unauthenticated sending.
5. Malicious Payload Delivery: These spoofed emails then deliver common phishing payloads, such as:

• Credential Phishing: Emails designed to look like voicemail notifications or urgent internal updates, often containing PDF attachments with QR codes or links directing recipients to fake Microsoft 365 login pages.
• Malware Delivery: Attachments that, if opened, install ransomware, spyware, or other malicious software.
• Business Email Compromise (BEC): Emails impersonating executives or finance personnel, requesting urgent wire transfers or sensitive data, leveraging the perceived internal source for credibility.

Recent campaigns observed by security firms show these attacks primarily targeting organizations in the U.S. across sectors like financial services, manufacturing, construction, engineering, healthcare, and insurance.

Why This Threat Is So Dangerous for Houston SMBs

For SMBs in Houston, the ‘Direct Send’ abuse is particularly concerning due to several factors:

• Bypassed Trust: Employees are inherently more likely to trust an email that appears to come from a colleague or an internal department than an external one. This drastically increases the likelihood of them falling for the scam.
• Reduced Scrutiny: Because the emails appear internal, they may receive less scrutiny from both automated email filters and human users, allowing malicious content to reach inboxes and be acted upon.
• No Compromised Accounts Needed: Crucially, attackers don’t need to compromise an actual account within your Microsoft 365 tenant to execute this attack, making it harder to detect the initial intrusion.
• Data Exfiltration Risk: If the phishing leads to credential theft, attackers can then access and exfiltrate sensitive company data from your Microsoft 365 environment.
• Disruption and Financial Loss: Successful attacks can lead to financial fraud (e.g., BEC), data breaches, and significant operational downtime for your business.

Protecting Your Houston SMB from ‘Direct Send’ Abuse

Combating this specific threat requires proactive configuration and enhanced vigilance:

1. Enable “Reject Direct Send” Setting (Exchange Admin Center): Microsoft introduced a “Reject Direct Send” setting in Exchange Online (Public Preview around April 2025). If your organization does not rely on Direct Send for internal devices or applications, enable this setting immediately. This will block any traffic that meets the conditions of anonymous messages sent from your own domain to your organization’s mailboxes.
2. Implement a Strict DMARC Policy (p=reject): While Direct Send abuse can sometimes bypass SPF/DMARC initial checks upon delivery, a strong DMARC policy with p=reject instructs recipient mail servers to outright reject emails that fail DMARC authentication. This helps prevent your domain from being spoofed externally and can also help with some Direct Send abuse scenarios if misconfigurations exist.
3. Enforce SPF “Hard Fail” (All Domains): Configure your Sender Policy Framework (SPF) record to use a “hard fail” (e.g., -all instead of ~all). This instructs recipient servers to reject emails that don’t originate from your authorized senders.
4. Strengthen Anti-Spoofing Policies in Exchange Online Protection (EOP): Review and tighten your anti-spoofing policies within Microsoft 365 Defender to specifically target internal domain spoofing.
5. Utilize Transport Rules to Flag Internal Spoofing: Create Exchange Online mail flow rules to flag, quarantine, or even reject emails that appear to originate from an internal sender but come from an external, unauthorized IP address or source. You can configure rules to add a warning banner to such emails for user awareness.
6. Implement Advanced Email Security Gateways (SEG): Consider using a third-party email security gateway that offers more advanced threat detection capabilities, including sophisticated impersonation detection and behavioral analysis, beyond Microsoft’s built-in EOP. Ensure all inbound mail flows through this gateway.
7. Continuous Security Awareness Training:

• Focus on Impersonation: Train employees specifically on the dangers of internal email spoofing and how to recognize red flags (even if the “From” address looks perfect).
• Out-of-Band Verification: Reinforce the critical importance of verifying any unusual or urgent requests (especially those involving money or sensitive data) through a different, known communication channel (e.g., a phone call to a verified number, or an in-person conversation). Never reply directly to a suspicious email.
• QR Code Awareness: Educate employees about QR code phishing (“quishing”), as attackers are using these in PDF attachments to bypass URL scanning.
• Report Suspicious Emails: Emphasize that employees should immediately report any suspicious email, regardless of how legitimate it appears.

8. Multi-Factor Authentication (MFA) Everywhere: As always, MFA is a critical layer of defense. While Direct Send abuse doesn’t require compromising an account initially, it often leads to credential phishing, where MFA would block access.

The exploitation of Microsoft 365’s ‘Direct Send’ feature represents a sophisticated and concerning evolution in phishing tactics. For Houston SMBs, remaining vigilant and implementing the right security configurations are paramount to protecting your employees and your data from these insidious, internal-looking threats. Krypto IT specializes in optimizing Microsoft 365 security and providing the expert guidance needed to combat the latest cyber threats.

Don’t let the trust in your internal communications be weaponized against your business.

Contact us today to schedule a free consultation and ensure your Microsoft 365 environment is secured against this critical vulnerability.