Cybercriminals have found a new trick and this one’s flying under the radar of even the most advanced email security systems. In recent weeks, a phishing campaign has emerged that’s abusing Microsoft 365’s Direct Send feature. What makes it especially dangerous? These emails appear to come from inside your organization, even from your own address. No breach, no credential theft—just crafty exploitation of Microsoft infrastructure. And unfortunately, businesses across industries are seeing it happen in real time.
What's Happening with Microsoft 365 Direct Send?
Threat actors are leveraging the Direct Send feature (designed for internal delivery) to push spoofed emails without authenticating. This essentially means they’re exploiting Direct Send to impersonate internal users even without access to your Microsoft 365 tenant.
These messages often:
- Bypass standard filters (yes, even advanced third party email filtering services)
- Look like voicemail notifications or internal updates
- Contain malicious QR codes or PDF attachments
- These messages often pass SPF and DMARC checks with soft-fail or none at all—because the domain’s policies aren’t configured to enforce rejection (‘p=reject’)
They're using Microsoft infrastructure (*.mail.protection.outlook.com — Learn more here) to give these emails that oh-so-trustworthy look. Here’s the kicker—no credentials or tenant access needed.
What We're Noticing:
- Spoofed emails that don’t show in mail traces
- SPF and DMARC checks are failing softly, not blocking the emails
- Because they route through Microsoft’s trusted infrastructure (mail.protection.outlook.com), the emails appear more legitimate to both systems and users
Read the more from Microsoft Exchange Team Blog.
Learn more on Arctic Wolf blog.
How It Impacts Your Business
We’re now seeing this tactic used across healthcare, energy, SMBs, and more. This isn’t a system breach—it’s a trust exploit. And it’s exactly the type of evolving cybersecurity threat that underscores the need for Secure Managed Services. If your SPF/DMARC policies are outdated or your users aren't prepared to spot spoofed internal emails, you're at risk.
Your Next Steps
If you're unsure whether your environment is hardened against this latest exploit, now’s the time to act:
- Request a free email security assessment
- Review your SPF/DMARC/DKIM policies
- Schedule a training refresh
- For Centre customers, ask your vCIO about enabling “Reject Direct Send”
What Centre Is Doing to Help
Our Security Operations team actively monitors for emerging phishing tactics and collaborates with Microsoft, our security partners and internal teams to create awareness and stay ahead of threats like this one. We stay ahead of email-based threats with a multi-layered security strategy. Here's how we're helping customers defend against these sophisticated spoofing tactics:
SPF, DKIM, and DMARC Hardening
We review and configure your domain’s records with aggressive protections—pushing DMARC policies to p=reject where appropriate.
Exchange Online Controls
We help enable Microsoft's new “Reject Direct Send” feature, blocking these spoofing attempts before they hit user inboxes.
User Education and Awareness
Through KnowBe4 security awareness training, we ensure your employees can spot suspicious emails—especially internal-looking ones or QR-code attacks.
Security Operations Escalation (SecOps)
If issues persist, escalation to our in-house Security Operations Center ensures rapid analysis and targeted remediation if spoofing persists for further investigation, analysis, and resolution.
Emily Kirk
