Attackers Exploit Microsoft 365 Email Feature to Send Convincing Spoofed Messages
By Medha Cloud Security Desk
Security researchers have discovered that threat actors are exploiting a built-in Microsoft 365 email feature known as Direct Send, enabling them to send spoofed messages that appear to come from trusted internal addresses — without authentication.
The finding, detailed by analysts at Mimecast Threat Intelligence, underscores how legitimate features can be repurposed to bypass conventional security controls.
The Direct Send protocol allows devices and applications within a network to send mail through Microsoft 365 without user credentials, typically used for scanners, line-of-business apps, or notifications. Attackers have found that misconfigured environments using this feature can be abused to send phishing messages directly into corporate inboxes, bypassing many perimeter and spam filters.
According to researchers at TechRadar Pro, the spoofed messages are often nearly indistinguishable from legitimate internal communications. The emails can carry malicious links or payloads designed to steal credentials, deliver ransomware, or trigger business email compromise (BEC) workflows.
Security experts warn that the abuse of Microsoft 365’s Direct Send feature represents a shift from exploiting vulnerabilities to manipulating trust boundaries. “Attackers no longer need to break in when they can borrow the keys left under the mat,” one analyst said.
Microsoft recommends organizations restrict Direct Send use to specific, approved IP addresses and enforce SMTP AUTH with TLS encryption wherever possible. Additionally, administrators are advised to deploy DKIM, SPF, and DMARC policies to authenticate all outbound and inbound traffic, reducing the success rate of email spoofing attacks.
The incident also illustrates the broader challenge of “feature misuse” in enterprise environments — where functions intended for convenience become potential attack surfaces. Experts say this pattern will continue as attackers turn attention from software exploits to configuration flaws within cloud services.
????️ Strengthen Your Microsoft 365 Email Security
Prevent spoofed messages and email-based intrusions with Medha Cloud’s Managed Microsoft 365 Security Services, offering continuous monitoring, policy hardening, and advanced phishing protection.
→ Learn more about Microsoft 365 Managed Services