Microsoft 365 Direct Send Attacks

Summary
Threat actors are actively abusing Microsoft 365’s Direct Send feature to deliver phishing emails that appear to originate from internal users. This tactic bypasses standard email authentication mechanisms and can bypass third-party email gateway solutions. Microsoft 365’s Direct Send capability is enabled by default – this is not a limitation of Barracuda offerings.

This advisory provides a technical breakdown of the attack vector, detection strategies and configuration hardening recommendations.

Attack Vector: Direct Send Abuse
Direct Send allows devices and applications to send email directly to internal recipients via SMTP without authentication. It is typically used for:

• Printers and scanners
• Line-of-business applications
• Notification systems

When Direct Send is enabled without IP restrictions or proper routing controls, attackers can:

• Relay spoofed messages using internal domains
• Evade SPF/DKIM/DMARC enforcement
• Bypass third-party email gateways
• Deliver phishing payloads directly to inboxes

Threat Activity Observed
Barracuda Managed XDR has observed multiple campaigns leveraging this tactic. Common characteristics include:

• Sender Spoofing: Appears to originate from internal departments (e.g., IT, HR)
• Payloads: Credential phishing links, malware-laced attachments
• Infrastructure: Use of compromised third-party SMTP relays or open mail servers

Assessing Your Environment
Disabling Direct Send may cause complications, and identifying its legitimate usage can be challenging. However, there are practical steps you can take to assess potential impact:

Mail Flow Report
Use the Microsoft 365 Admin Center or PowerShell to identify services or devices sending mail via Direct Send.

Microsoft Defender for Office 365 Query
Use Microsoft Defender Advanced Hunting to query for spoofed internal sender activity or anomalous SMTP traffic.

PowerShell via Microsoft Graph or KQL (Advanced Hunting in Defender Portal)
EmailEvents

| where EmailDirection == "Inbound"

| where SenderIPv4 !contains "209.222.82."

| where Connectors == ""

//| summarize count() by SenderIPv4, SenderIPv6

Mitigation Recommendations

For Barracuda EGD Customers

If you are using Barracuda Email Gateway Defense (EGD), review your configuration between EGD and Microsoft Exchange to ensure it aligns with updated best practices stated in this in Barracuda Campus article: https://campus.barracuda.com/product/emailgatewaydefense/doc/631417416/how-to-protect-against-gateway-bypass-and-direct-send-risks

Configuration Hardening

1. Disable Direct Send unless absolutely required
2. If required, restrict SMTP relay access to known internal IPs only
3. Use authenticated SMTP with TLS for all device and app mail flows
4. Implement transport rules to block unauthenticated internal-looking messages
   

Authentication Enforcement

• SPF: Ensure your domain’s SPF record does not include smtp.office365.com unless necessary
• DKIM: Enable DKIM signing for all outbound mail
• DMARC: Set policy to reject or quarantine with reporting enabled

Collaboration & Acknowledgments
Special thanks to Paul Harragan, global cybersecurity lead at KKR, for collaborating on this advisory.