The Varonis Managed Data Detection and Response (MDDR) forensic team has uncovered a sophisticated phishing campaign that uses Microsoft’s “Direct Send” feature to spoof internal users and deliver phishing emails without ever needing to compromise an account.

According to researchers at Varonis, this campaign, which has been active since May 2025, has targeted over 70 organizations—primarily in the United States—by abusing a function meant to help devices like printers send emails without authentication. This function is now being manipulated by threat actors to send deceptive emails that appear to come from within an organization, all without breaching a single account.

“The simplicity of this attack is what makes it so dangerous,” said Michael Solomon, who led forensic analysis at Varonis. “You don’t need credentials, malware, or even access to the target environment. All you need is a public IP and a basic PowerShell script.”

How The Attack Works

Direct Send is a feature in Microsoft Exchange Online that allows devices and applications to send emails within a Microsoft 365 tenant without authentication using a smart host (e.g., tenantname.mail.protection.outlook.com). It was designed for internal use and requires no login credentials.

This creates an opportunity for attackers: if they can identify the tenant domain and guess a valid email address (a common format like first.last@company.com), they can send spoofed emails that appear to originate from inside the organization, without ever logging in or touching the tenant.

Since these spoofed messages are routed through Microsoft infrastructure, they often bypass email filters that rely on sender authentication, reputation, or external routing cues. As a result, the emails appear to be legitimate internal messages.

PowerShell Makes It Easy

To launch the attacks, hackers used simple PowerShell scripts to send spoofed emails via Direct Send. These messages mimic legitimate internal alerts, often with subjects like “New Missed Fax-msg” or “Caller Left VM Message.” The emails typically contained PDF attachments disguised as voicemails. These PDFs include QR codes that redirect users to credential-harvesting sites.

Varonis’ MDDR Forensics team linked multiple instances based on similarities in sender IP addresses, message content, and behavior. One real-world example involved email activity originating from a Ukrainian IP address without any login attempts—an unusual pattern that pointed to Direct Send abuse.

Why These Emails Evade Detection

Several factors allow these messages to evade traditional security tools:

  • No authentication is required to send via Direct Send.
  • Emails appear to originate from inside the organization.
  • They fail SPF, DKIM, and DMARC checks but may still be delivered.
  • Microsoft’s filtering may treat these as internal-to-internal messages.

Detecting these attacks involves closely inspecting email headers for unusual signs, such as external IPs interacting with the smart host and failed authentication checks. Other behavioral red flags include emails sent from their own addresses, messages sent using PowerShell, and email activity originating from unexpected or foreign locations.

Protective Measures

To defend and protect against this threat, Varonis recommends that organizations take the following steps:

  • Enable “Reject Direct Send” in the Exchange Admin Center.
  • Implement a strict DMARC policy (e.g., p=reject).
  • Flag or quarantine unauthenticated internal messages.
  • Enforce “SPF hardfail” settings within Exchange Online Protection (EOP)
  • Use anti-spoofing policies.
  • Educate employees about phishing and QR code-based attacks (also known as “quishing”).
  • Monitor unusual email-sending behaviors like self-addressed messages and unexpected IP usage.
  • Enforce a static IP address in the SPF record to prevent unwanted send abuse — a recommended, though optional, best practice from Microsoft.

“Direct Send is a powerful feature, but in the wrong hands, it becomes a dangerous attack vector. If you’re not actively monitoring spoofed internal emails or haven’t enabled these protections, now is the time. Don’t assume internal means safe,” concluded Varonis.