Exploiting Microsoft 365 Direct Send: The Growing Risk of Internal Phishing

02 September, 2025

Internal email trust is one of the most valuable yet fragile assets in an organization. Employees rarely doubt a message that looks like it came from their own manager, finance desk, or IT team. Attackers are now exploiting Microsoft 365’s Direct Send feature to erode this trust at scale.

Direct Send was built for convenience. Printers, scanners, and legacy applications that cannot authenticate were given a way to send email directly into the tenant. That shortcut is now being weaponized. Spoofed “internal” messages are passing through Microsoft 365, often landing in Junk folders rather than being blocked outright. For attackers, that is more than enough.

The result is a highly effective phishing pathway that bypasses many organizations’ layered defenses. The risk is not just technical; it directly affects fraud exposure, workflow disruption, and reputational credibility.

 

What is Direct Send?

Direct Send lets printers, scanners, and other tools send email into Microsoft 365 without signing in, just as long as the message stays inside the same tenant. It was built for older systems that can’t use modern authentication.

The flaw: anyone who can route mail into Microsoft 365 via an accepted relay path can make their messages appear internal. No credentials are required. This turns Direct Send into a tool for spoofing and phishing.

 

How the Abuse Works

  • Message Injection

Attackers use cheap virtual servers or exposed SMTP relays to push fake emails into the system. The messages are made to look like an authentic part of internal communication.

  • Relay and Delivery

That traffic is injected into Microsoft 365 tenants using Direct Send. The “From” field is spoofed as an internal address, making the email look genuine to the recipient.

  • Why Junk Is Still Dangerous

Microsoft’s composite authentication often flags such mail as compauth=fail. Instead of being blocked, the message lands in the Junk folder. Employees still open Junk regularly, and phishing needs only one victim. The gap between “flagged” and “blocked” is exactly what attackers exploit.

 

Key Indicators You Must Look For

Header Cues

  • Authentication-Results showing compauth=fail
  • Received-SPF misalignment or unexpected sending IPs
  • Internal-looking messages showing up in Junk rather than being blocked

Observed Subject Lines

  • Your To-Do List – [MM/DD/YYYY]
  • Wire Authorization Approval [MM/DD/YYYY]
  • Payment ACH-Wire Authorization
  • Daily Reminder: Today’s Tasks – [MM/DD/YYYY]
  • WIRELESS CALLER (XXX) YYY-ZZZZ – [MM/DD/YYYY]

These subjects are designed to look operational or financial, increasing the likelihood of user action.

 

Why This Matters to the Business

The technical aspect is only half the story. The real danger lies in how people respond:

  • Trust in internal email is broken. Once employees hesitate to believe internal messages, productivity slows.
  • Fraud risk rises. Finance approvals, task reminders, and voicemail notifications are prime lures.
  • Reputation is at stake. A successful phishing incident spreads beyond lost money; it damages client trust and partner confidence.
  • Attackers are adapting. Rather than going after passwords, attackers now exploit built-in cloud functions to slip past defenses.

For business leadership, this extends beyond an IT configuration matter; it’s a question of governance and overall resilience.

 

Mitigation, in Order of Impact

Retire or Replace Direct Send

  • Audit all devices and apps relying on Direct Send.
  • Where possible, migrate them to authenticated SMTP with modern authentication or Microsoft Graph API.
  • Decommission legacy senders that cannot be secured.

Tighten Mail Flow and Authentication

  • Restrict Direct Send to only trusted IPs through mail flow rules.
  • Enforce SPF with hard fail (-all).
  • Deploy DKIM and DMARC with reject policies and monitor reports.
  • Block unauthenticated relay IPs.

Strengthen Filtering and Monitoring

  • Configure transport rules to quarantine or flag messages where compauth=fail appears in headers.
  • Use layered filtering with Microsoft Defender for Office 365 or another trusted email security gateway.
  • Monitor mail flow for unusual spikes in internal-looking messages flagged as spoofed.

Train for “Internal” Skepticism

  • Incorporate internal spoofing examples into phishing awareness programs.
  • Encourage employees to report suspicious internal emails, even from known colleagues.
  • Reinforce that Junk is not a safe zone; it is still a risk channel.

 

90-Day Roadmap to Eliminate Direct Send Risks and Restore Internal Mail Trust

There’s no quick toggle to disable Direct Send across a live environment. The change needs to be deliberate, with each step grounded in real dependencies—such as apps, printers, and workflows, to name a few. This 90-day roadmap lays out what to inspect, what to block, and when to migrate. It’s not about perfection on day one. It’s about moving fast enough to reduce exposure without disrupting what people rely on every day to get their work done.

First 7 Days

  • List out every device, app, or system that still sends mail using Direct Send.
  • Review mail headers for compauth=fail events.
  • Apply temporary blocks or restrictions on unrecognized relay IPs.
  • Set up monitoring alerts for internal spoof attempts.

30 Days

  • Begin migrating printers, scanners, and applications to authenticated SMTP or Graph API.
  • Implement strict SPF, DKIM, and DMARC configurations.
  • Adjust mail flow rules to quarantine internal-looking spoof attempts.
  • Review DMARC reports weekly for unauthorized senders.

60–90 Days

  • Complete migration of remaining legacy systems.
  • Deprecate Direct Send wherever possible.
  • Formalize new change management practices for onboarding devices or applications needing mail capability.
  • Review metrics and tune policies to balance usability and protection.

 

Operational Metrics That Signal Risk Reduction (KPIs)

  • Reduction in unauthenticated internal-looking mail reaching user inboxes
  • Decline in compauth=fail messages delivered to Junk
  • Successful migration rate of devices and apps to authenticated sending
  • User-reported phishing incidents trending downward
  • Consistent alignment in DMARC reports with minimal rejections from legitimate sources

 

Where Infrassist Helps

Direct Send isn’t a hypothetical concern. it’s already being used in real attacks.

Treating it as a minor configuration quirk exposes both employees and leadership to unnecessary danger.

Infrassist helps organizations identify dependencies, migrate away from insecure relay practices, and implement sustainable mail security policies. Our team works with IT leaders to design an operations plan that balances usability with strong defenses.

If your organization still uses Direct Send, contact Infrassist for a targeted risk review and a clear roadmap to secure alternatives.

FAQ

Not always, but it should be retired wherever possible. If legacy systems require it, restrict use by IP and monitor continuously.

Migrate them to authenticated SMTP relay or Graph API. If unavoidable, keep them on tightly controlled IP ranges.

If configured correctly with proper alignment and sender updates, strict DMARC improves security without breaking mail. Regular monitoring is key.

Supplement email with secondary verification steps. Financial processes should never rely on unverified mail alone.

Milan Ramani

Director of Professional Services

Milan loves everything Professional and Premium. He’s got standards – he strives nothing less than excellence - and he goes above and beyond to live up to it. If it’s top-tier, it’s Milan style.

Table Content

  1. What is Direct Send?
  2. How the Abuse Works
  3. Key Indicators You Must Look For
  4. Why This Matters to the Business
  5. Mitigation, in Order of Impact
  6. 90-Day Roadmap to Eliminate Direct Send Risks and Restore Internal Mail Trust
  7. Operational Metrics That Signal Risk Reduction (KPIs)
  8. Where Infrassist Helps

Explore Support Possibilities

Speak with our Success Manager to explore white label managed IT support possibilities. SCALE your MSP business with confidence.

Contact us

Recent Posts