Organizations relying on Microsoft 365 are facing a new wave of sophisticated phishing attacks that bypass traditional email security measures. Attackers have discovered a method to exploit the Direct Send feature, specifically known as Method 2, to send malicious emails that appear to originate from internal email addresses.
This technique allows attackers to send emails directly to internal recipients within an organization without needing a fully authenticated mailbox. By crafting emails that seem to come from colleagues or internal systems, they can easily circumvent perimeter defenses that scan incoming external mail. The emails look legitimate to the recipient because they appear to originate from a trusted internal source, significantly increasing the likelihood of success.
The primary goal of these campaigns is often credential harvesting. Users are tricked into clicking malicious links that lead to fake login pages, where they are prompted to enter their Microsoft 365 credentials. With compromised accounts, attackers can then move laterally within the network, access sensitive data, or launch further attacks. In some cases, the emails might contain malicious attachments designed to install malware or ransomware.
Because these emails originate internally (from the perspective of the M365 service itself, using the Direct Send mechanism), standard email gateways and filters often fail to flag them as suspicious. This makes the attack particularly insidious and effective.
Protecting your organization requires a multi-layered approach. First, it is crucial to review your Microsoft 365 Direct Send configurations. If you do not actively use Direct Send (Method 2) for applications or devices that need to send emails directly without authentication, disable this feature immediately. For those who require it, ensure rigorous controls are in place.
Furthermore, implementing and correctly configuring email authentication protocols like SPF, DKIM, and DMARC is essential, though their effectiveness against this specific internal spoofing method can be limited if Direct Send is misused. Strengthen your internal anti-spoofing rules within your email security platform to specifically detect anomalies in sender patterns, even for internal-looking emails.
Perhaps most importantly, user education remains a vital defense. Train your employees to be highly skeptical of emails asking for credentials or urging immediate action, even if they appear to come from trusted internal sources. Encourage them to verify requests through alternative communication channels. Staying ahead of these evolving threats requires constant vigilance and proactive security measures.
Source: https://www.bleepingcomputer.com/news/security/microsoft-365-direct-send-abused-to-send-phishing-as-internal-users/
