How hackers exploit Direct Send and what to do about it

What is Direct Send?

Direct Send is a legitimate Microsoft 365 feature that allows email to be sent directly to a recipient’s mailbox via Microsoft’s infrastructure, without requiring sender authentication.

Normally, when an email is sent to a user at your company, the message flows through your mail exchange (MX) record for inbound mail. This route can be managed and monitored using mechanisms like SPF, DKIM, and DMARC. These systems confirm that messages come from the domain they claim to.

However, Microsoft also supports an alternate route: the Direct Send endpoint, typically in the form of: <yourdomain>.mail.protection.outlook.com

This endpoint receives mail destined for your domain even if it doesn't come via the usual MX route. Direct Send is commonly used by third-party applications or systems that need to send messages without authentication. While this may be convenient, the setup also offers a dangerous backdoor for attackers.

How attackers exploit Direct Send

Attackers found that they can use Microsoft’s Direct Send endpoint to spoof internal email addresses, making phishing messages look like they’re coming from someone inside the organization, even though they’re not.

How the phishing attack works:

1. Email spoofing: The attacker crafts an email with a forged "From" address that matches someone within the victim's organization. For example, ‘ceo@company.com’.

2. External server usage: Rather than using the organization's mail server, the attacker sends this spoofed message from an external mail server they control.

3. Targeting the Direct Send endpoint: Instead of routing the email through the organization’s published MX records, the attacker sends it directly to Microsoft’s Direct Send endpoint for the victim’s domain, e.g., victimtenant.mail.protection.outlook.com

4. Bypassing authentication: Microsoft accepts the email and does not authenticate the sender since the message is destined for that tenant's domain.

5. SPF and DMARC limitations: Since the email is received via Microsoft’s infrastructure, it may appear to pass SPF checks, especially in configurations where SPF validation focuses on the "envelope sender" or the connecting IP.

6. Convincing appearance: Since the email comes from Microsoft’s infrastructure and lands in the recipient's inbox, it appears to be from a trusted internal source. There's no alert or warning, and the message may even show up with the correct display name and internal formatting.

7. User falls for the phish: Believing the email is legitimate, the recipient may click on a link, download a malicious file, or reply with sensitive information.

Ultimately, no account was hacked, and no credentials were stolen. Yet, a convincing spoofed message was delivered directly to an employee’s inbox.

Why this attack works

This tactic succeeds because it abuses trust in internal communication. “Phishing attacks are often cited as a primary threat to organizations’ data security. End users in an email system are generally considered to be the weakest link in data security systems, as their email management behaviors allow malicious actors to gain access to private and potentially valuable information,” explains Organizational Behavior and Human Decision Processes on Social distance, trust and getting “hooked”: A phishing expedition

Most organizations rely on basic SPF checks to validate senders, but the Direct Send exploit manipulates SPF evaluation by using Microsoft’s infrastructure. In many cases, Microsoft’s mail relays are included in allow-lists, so these spoofed messages slip past spam filters undetected.

Victims are tricked into clicking phishing links, leading to credential harvesting pages and malware downloads. Since the emails bypassed traditional authentication checks, they aren’t flagged as malicious by Microsoft 365’s default protection.

The attack leaves no trace of a compromised account. There’s nothing to lock down, no password to reset, and no signs of unusual login activity. The attacker simply impersonates an internal user and disappears once the phishing campaign has run its course.

Can Paubox ExecProtect+ stop this?

Yes. Paubox can stop Direct Send exploits. Paubox encrypts and secures email via its own MX records, so you can add an inbound security rule to Microsoft 365 that only accepts email routed through Paubox’s infrastructure. Any email that attempts to bypass your MX record, like those delivered via Direct Send, is automatically rejected.

Using the Paubox M365 Rule to block Direct Send

• Enforcing mail flow via Paubox: The rule blocks any incoming email that doesn't arrive through Paubox’s designated MX record.
• Rejecting Direct Send messages: Since Direct Send routes messages through ‘mail.protection.outlook.com’, the rule will catch and block these messages before they reach your users.
• Preventing spoofed internal addresses: Since attackers can no longer reach your inboxes through Microsoft’s endpoint, this prevents impersonation attempts using internal email addresses.

Steps to set it up

1. Log in to the Microsoft 365 Admin Center

Navigate to the Exchange Admin Center.

2. Create a new mail flow rule

Go to: Mail Flow > Rules > + Add a Rule

Select: “Create a new rule”

On the new rule page, enter the rule name:

Paubox Non-MX Inbound Blocking

3. Define the Rule Conditions

From the Apply this rule if dropdown menu:

Select: The Sender > Is External/Internal > Outside the organization

From the Do the following dropdown menu:

Select: Redirect the message to > Hosted quarantine

(Alternative: You can choose “Reject the message with an NDR” if you prefer.)

4. Add the exception for Paubox

From the Except if section:

Choose: The sender > Sender’s IP address is in any of these ranges or exactly matches

Enter the Paubox IP range: 165.140.171.0/24

Click the + symbol to add it, then click OK.

Note: if you have configured trusted mail sources to deliver directly to your M365 inboxes, for example phishing simulation software or on-prem based system alerts, add those IPs here as well.

5. Configure rule properties

Scroll to the Properties of this rule section.

In the Priority field, type: 0

(This ensures the rule is evaluated first.)

Under Match sender address in message, choose: Envelope

Select: Stop processing more rules

Click Save to activate the rule.

6. Verify and Monitor

• Make sure the rule appears at the top of the mail flow rule list.
• If it isn’t, click the rule and use the “Up” arrow to move it to the top.
• Monitor your Microsoft 365 quarantine or NDR reports to confirm the rule is functioning as intended.

Go deeper: Inbound Security: Optional M365 Rule to Block Direct Send Phishing

Why Paubox’s approach works

Paubox blocks threats at the mail delivery layer, so if a message doesn’t come through the correct, encrypted MX record, it’s not allowed in. The approach eliminates:

• Spoofed internal emails
• Direct Send bypasses
• Confusing SPF/DKIM failures

Additional tips to improve your email security

1. Enable DMARC with quarantine or reject

Ensure your domain is protected by SPF, DKIM, and DMARC, and configure DMARC to quarantine or reject unauthenticated messages.

2. Use display name impersonation protections

Some attackers spoof the display name without using the actual email address. Paubox’s ExecProtect+ helps stop display name impersonation, too.

3. Monitor mail flow logs

Regularly review your mail flow logs and message trace reports in Microsoft 365 and Paubox to detect unusual patterns or blocked attempts.

4. Train staff to spot spoofs

Even with technical protections, phishing attacks can still succeed if employees aren’t trained to scrutinize unexpected messages. Therefore, healthcare organizations must implement regular security awareness training.

5. Disable unused email routes

If your organization doesn’t use Direct Send or other alternate delivery paths, disable or restrict them where possible.

FAQs

Why is Direct Send a security risk?

Attackers can use Direct Send to deliver spoofed emails that look like they come from inside your organization, bypassing standard authentication.

What is email spoofing?

Email spoofing is when a sender forges the "From" address to make the email appear as though it came from a trusted source.

Can attackers spoof internal users without hacking an account?

Yes. With Direct Send, attackers don’t need to compromise an account to send a message that appears internal.