Cybercriminals have discovered a sophisticated new attack vector by exploiting Microsoft 365’s Direct Send feature to deliver phishing campaigns that masquerade as legitimate internal communications.
This emerging threat leverages a legitimate Microsoft service designed for multifunction printers and legacy applications, turning it into a weapon for social engineering attacks that bypass traditional email security controls.
The attack campaign represents a significant evolution in phishing tactics, as threat actors can now send malicious emails that appear to originate from within the target organization without requiring valid credentials or authentication.
By exploiting Direct Send’s inherent trust model, attackers achieve unprecedented credibility in their phishing attempts, making detection and prevention considerably more challenging for security teams.
Proofpoint researchers identified this active campaign targeting Microsoft 365 tenants through a complex infrastructure involving unsecured third-party email security appliances and virtual private server assets.
The sophisticated operation demonstrates how cybercriminals continue to weaponize legitimate cloud services to evade detection and increase the success rate of their social engineering campaigns.
Technical Attack Infrastructure and Message Injection Flow
The attack mechanism follows a carefully orchestrated four-step process that exploits multiple layers of email infrastructure.
Attackers initially establish connections to virtual hosts running Windows Server 2022 through Remote Desktop Protocol on port 3389, providing them with a legitimate Windows environment for their operations.
Attack flow (Source – Proofpoint)
From these compromised hosts, they initiate SMTP connections to unsecured third-party email security appliances hosted by regional Infrastructure-as-a-Service providers.
These compromised appliances serve as SMTP relays, featuring valid DigiCert SSL certificates and supporting AUTH PLAIN LOGIN with STARTTLS encryption.
However, the appliances expose vulnerable ports 8008, 8010, and 8015 with expired or self-signed certificates, creating security gaps that attackers exploit.
The malicious messages are then relayed through these appliances directly to Microsoft 365 tenants, where they are delivered via Direct Send using spoofed internal sender addresses.
Organizations can implement immediate protection by executing the PowerShell command Set-OrganizationConfig -RejectDirectSend $true to disable Direct Send functionality.
Additionally, monitoring message headers for composite authentication failures marked as compauth=fail can help identify these sophisticated spoofing attempts before they reach end users.
Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches
The post Hackers Abuse Microsoft 365’s Direct Send Feature to Deliver Internal Phishing Attacks appeared first on Cyber Security News.
