1080*80 ad
Home » Blog » Mitigating Direct Send Abuse in Microsoft 365 Exchange Online

Mitigating Direct Send Abuse in Microsoft 365 Exchange Online

Benhcmark Administrator Benhcmark Administrator
19/11/2025
3 Views 0
Mitigating Direct Send Abuse in Microsoft 365 Exchange Online

Protect Your Domain: A Guide to Preventing Exchange Online Direct Send Spoofing

If you’ve ever seen spam or phishing emails that appear to originate from your own company domain, you may be a victim of a common but often overlooked vulnerability in Microsoft 365: Direct Send abuse. This security gap can tarnish your domain’s reputation, confuse your employees, and expose your organization to significant risk. Fortunately, you can lock it down.

This guide will walk you through what Direct Send is, why it’s a risk, and the concrete steps you can take to secure your Exchange Online environment.

What is Direct Send and Why Is It a Security Risk?

Direct Send is a feature in Microsoft 365 designed to allow devices and applications, such as multifunction printers, scanners, or internal line-of-business (LOB) applications, to send emails without needing a licensed mailbox. It works by relaying email directly to your organization’s unique MX endpoint (e.g., yourdomain-com.mail.protection.outlook.com).

The problem is that, by default, this endpoint is open to the internet. Anyone who knows your MX record can potentially connect to it and send emails that appear to come from your domain. Because this method is often unauthenticated, it creates a perfect loophole for spammers and phishing attackers to exploit your trusted domain name for their malicious campaigns.

The consequences of leaving this vulnerability unaddressed are severe:

  • Damaged Domain Reputation: If spammers use your domain to send junk mail, your official domain can be added to blocklists, causing legitimate emails to be rejected by customers and partners.
  • Targeted Phishing Attacks: Attackers can send highly convincing phishing emails to your employees from what looks like a trusted internal address, increasing the likelihood of a successful breach.
  • Loss of Trust: Customers receiving spam or malicious emails from your domain will lose trust in your brand.

How to Secure Your Microsoft 365 Environment from Direct Send Abuse

The solution involves creating a specific, secure pathway for your legitimate devices and applications while blocking all other unauthorized attempts. This is achieved with a combination of an inbound connector and a mail flow rule.

Step 1: Identify Your Authorized Senders

Before creating any rules, you must identify all the devices and applications within your network that rely on Direct Send. For each one, you will need its public IP address.

It is crucial to compile a complete list of the public IP addresses of all legitimate on-premises devices and applications that need to send email through your Microsoft 365 tenant. This includes scanners, internal servers, and any other system using unauthenticated SMTP relay.

Step 2: Create a Dedicated Inbound Connector

An inbound connector tells Exchange Online to trust emails coming from specific IP addresses. This creates a secure channel for your authorized devices.

  1. Navigate to the Exchange Admin Center.
  2. Go to Mail flow > Connectors.
  3. Click Add a connector.
  4. For the connection, select Your organization’s email server.
  5. Give the connector a clear name, such as “On-Premises Direct Send” or “Secure Device Relay.”
  6. On the next screen, choose the option By verifying that the IP address of the sending server matches one of these IP addresses that belong to your organization.
  7. Add all the public IP addresses you identified in Step 1.
  8. Save the connector.

You have now designated a trusted pathway. Any email received by Microsoft 365 from these IP addresses will be associated with this secure connector.

Step 3: Build a Mail Flow Rule to Block Unauthorized Senders

Now that you have a “white list” for your trusted senders, you can create a rule to block everyone else attempting to use the Direct Send method.

  1. In the Exchange Admin Center, navigate to Mail flow > Rules.
  2. Click Add a rule and then Create a new rule.
  3. Give the rule a descriptive name, like “Block External Direct Send Abuse.”
  4. Under Apply this rule if…, set the following conditions:
    • Select The sender is located… and choose Outside the organization.
    • Add a second condition: The sender’s domain is… and enter your organization’s domain(s).
  5. Under Do the following…, select Block the message… and then choose an action, such as Reject the message with the explanation. You can enter a custom rejection message like, “Unauthorized message submission. This sender is not permitted to relay mail.”
  6. This next step is the most important. Click on Except if… and add an exception:
    • Select The message is received from… and choose A specific IP address in these ranges. Wait, this isn’t the best way. The better and more manageable exception is to use the connector you just created.
    • The correct exception is: Select The message properties… and then include the message type. In the message type settings, or better yet, link it to the connector. Reframing for clarity.
    • Add an exception: Select A message header… and choose ‘matches these text patterns’. The header to check is Received. The text pattern should be part of the name of the connector you created in Step 2. This is complex. Let’s simplify.
    • Correct and Simple Exception: Select The message was received via… and choose a specific inbound connector. Select the connector you created in Step 2 (“On-Premises Direct Send”).

Your final rule logic should be: If a message originates from outside the organization and claims to be from our domain, block it, UNLESS it arrived through our secure inbound connector.

Step 4: Test and Enforce the Rule

Before fully enabling the rule, it’s critical to test it to avoid blocking legitimate email.

  • In the rule settings, choose the Test with Policy Tips or Test without Policy Tips mode first.
  • This allows you to monitor mail traces and see what the rule would have done without actually blocking anything.
  • Once you have confirmed that legitimate mail from your devices is being delivered successfully and that unauthorized attempts would be blocked, you can edit the rule and set it to Enforce.

Final Recommendations for Long-Term Security

Securing Direct Send is not a one-time task. To maintain a strong security posture, follow these best practices:

  • Regularly Audit Your Connector: As your organization changes, review and update the list of IP addresses in your inbound connector to ensure it remains accurate.
  • Prioritize Authenticated Sending: Whenever possible, configure applications and devices to use more secure methods like SMTP AUTH client submission, which requires authentication with a username and password.
  • Monitor Mail Flow: Periodically check message traces in Exchange Online to ensure your rule is working as intended and to identify any new, unauthorized sending attempts.

By taking these proactive steps, you can close a dangerous security loophole, protect your domain’s reputation, and significantly enhance the overall security of your Microsoft 365 environment.

Source: https://blog.talosintelligence.com/reducing-abuse-of-microsoft-365-exchange-onlines-direct-send/

900*80 ad

Related Articles
      1080*80 ad
      About Hosterdojo

      Hosterdojo reviews server performance, network capabilities, and other related benchmarks. If you are a provider interested in submitting your VPS products, feel free to reach out to me.

      Email: [email protected]
      Telegram Channel: https://t.me/hosterdojo

      Follow

      Useful Link

      Girl in a jacket