Inside Job: Attackers Are Spoofing Emails With M365's Direct Send
Security Boulevard, Thursday, July 31st, 2025
Over the past three months, our threat analysts have noticed a significant spike in attackers abusing Microsoft 365's Direct Send feature-a tool intended for devices like printers or scanners to send internal emails without authentication.
Unfortunately, threat actors have found a way to exploit this convenience, slipping past critical email security checks like SPF, DKIM, and DMARC.
Since May 2025 alone, attackers have compromised over 70 organizations across the U.S., hitting hard in sectors like manufacturing, consulting, and healthcare. These emails appear completely internal, often evading Microsoft's built-in defenses and traditional Secure Email Gateways (SEGs).