Microsoft 365 Direct Send Abuse: Phishing Risks & Security Recommendations
Essential information
- Published
- 18/08/2025 14:16
- Modified
- 18/08/2025 14:43
- Tags
- 2025-08-18 business email compromise credential-theft direct send email security microsoft 365 phishing spoofing
- Related entities
- 27 observables, 7 techniques (mitre)
Description
Threat actors are actively exploiting Microsoft 365's Direct Send feature to deliver phishing emails, bypassing perimeter security solutions by routing malicious messages through trusted infrastructure. This technique requires no credentials, only knowledge of the target domain and valid recipient addresses. The attack process involves identifying organizational domains, crafting emails impersonating internal users, and delivering them through Microsoft 365's infrastructure. Recent campaigns have successfully harvested credentials and established footholds within targeted environments. Attackers use automated tools to generate convincing business-themed lures, often utilizing PDF and DOCX attachments with QR codes or obfuscated HTML leading to phishing pages. The abuse of Direct Send represents a critical gap in email security defenses, particularly for organizations relying heavily on email communications.