Phishing Campaign Abuses Microsoft 365’s Direct Send Feature to Target U.S. Organizations
Hackers have begun exploiting Microsoft 365’s little-known Direct Send functionality, turning it into a powerful tool for email-based phishing attacks. As reported by BleepingComputer, the Direct Send feature—intended for use by legacy devices like on-prem printers and scanners—is now being used to send convincing fake emails that appear to originate from legitimate company accounts.
Cybersecurity firm Varonis identified this tactic in an ongoing phishing campaign that has impacted around 70 companies since May 2025, with most victims located in the United States. The attackers use Direct Send to bypass standard email filtering, crafting messages that contain links to fraudulent Microsoft login pages. When unsuspecting recipients enter their credentials, those details are captured and sent to the attackers.
Microsoft acknowledges that Direct Send can be a secure feature but stresses that it requires careful configuration, including the proper lockdown of smart hosts to prevent abuse. “We recommend Direct Send only for advanced customers willing to take on the responsibilities of email server admins,” the company said in a statement.
To reduce the risk of such attacks, Microsoft rolled out a “Reject Direct Send” option in the Exchange Admin Center earlier this year. Enabling this setting effectively blocks unauthorized usage of the feature and is strongly advised for organizations not actively using Direct Send with secure configurations.
Experts warn that as phishing tactics grow more sophisticated, even rarely used enterprise features can become liabilities if not properly monitored and managed.