By rssfeeds-admin 
Cisco Talos and other security vendors report that cybercriminals are abusing this trusted mail pathway to launch phishing and business email compromise (BEC) campaigns targeting enterprises worldwide.
Direct Send Exploitation and Attack Techniques
Direct Send enables appliances such as printers or scanners to send messages into an organization’s tenant without authentication.
This operational convenience, however, allows attackers to impersonate internal systems and users bypassing crucial email authenticity checks like DomainKeys Identified Mail (DKIM), Sender Policy Framework (SPF), and Domain-based Message Authentication, Reporting and Conformance (DMARC). As a result, spoofed emails appear legitimate and escape filtering.
According to Cisco Talos and corroborating research from Varonis, Abnormal Security, Ironscales, Proofpoint, and Barracuda, threat actors are emulating trusted internal traffic to deliver phishing payloads.
Common social engineering tactics include fake invoice notices, payment authorization requests, and voicemail alerts. Many attacks rely on low-content messages containing QR codes or obfuscated attachments, which redirect recipients to credential-harvesting pages hosted on malicious domains.
Since these campaigns use legitimate Exchange mail flows, traditional security analytics often fail to detect anomalies. The inherent trust in Microsoft’s infrastructure lets attackers slip past security detection gates with little friction, turning a business-enabling feature into an exploitation vector.
Microsoft has acknowledged the risk and introduced a Public Preview of the “RejectDirectSend” control, allowing administrators to block unauthenticated submissions.
Future improvements will include usage visibility reports and a “default-off” configuration for new tenants to reduce exposure. Despite these moves, organizations that still depend on Direct Send for vital workflows must carefully plan transitions to avoid business disruption.
Experts recommend migrating legacy devices to authenticated SMTP (port 587) where possible, implementing SPF and DKIM enforcement, and monitoring DMARC reports for anomalous internal-sender activity.
Administrators should also restrict port 25 usage to approved hosts and actively alert on unauthenticated internal domain messages.
Talos’ defensive measures combine machine learning-based email telemetry analysis and behavioral inspection to detect patterns consistent with Direct Send abuse.
This layered detection approach aims to shorten attacker dwell time while maintaining operational continuity. As Ironscales noted, “You can’t block what you don’t see” underscoring visibility as the foundation of secure enforcement.
For organizations seeking guidance or remediation assistance, Cisco Talos Incident Response offers consulting and proactive defense services protecting critical communications.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Attackers Use M365 Exchange Direct Send to Bypass Content Filters and Harvest Sensitive Information appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.