Exploiting Direct Send: Attackers Abuse Microsoft 365 To Deliver Internal Phishing Attacks
Proofpoint, Wednesday, July 30th, 2025
Proofpoint identified an active phishing campaign exploiting Microsoft 365 Direct Send, which delivered spoofed messages that appeared as internal emails.
Threat actors are exploiting Microsoft 365's Direct Send feature to deliver phishing emails that appear to originate from within the organization, undermining internal trust, and increasing the risk of successful social engineering attacks.
Phishing messages often evade built-in defenses, landing in users' junk folders despite being flagged by Microsoft's composite authentication checks.
Lures are highly effective and business-themed, frequently using pretexts like task reminders, wire authorizations, and voicemails to entice user interaction.
This campaign reflects a broader trend of adversaries abusing legitimate cloud services to bypass security controls, making it essential for organizations to reassess their email authentication and relay configurations.