I came across an interesting article from Dark Reading titled “Phishers Abuse Microsoft 365 to Spoof Internal Users” that I wanted to talk about. You can read about it here where the “Direct Send feature simplifies internal message delivery for trusted systems, and the campaign successfully duped both Microsoft Defender and third-party secure email gateways”.
As attackers find ways to go after M365, Picture this: you open your inbox on a busy Monday morning and see an urgent email from your CFO. The sender address is perfect, the tone matches their usual style, and the message asks for a quick time sensitive transaction. It’s not unusual executives often reach out directly for approvals. Without thinking twice, you hit reply to confirm. But the truth is far more alarming: that message didn’t come from your CFO, or anyone inside your organization. Instead, it originated from an external attacker who found a way to imitated their email. By the time you realize the deception, the damage may already be done.
What’s Happening Behind the Scenes
This type of attack leverages a feature in Microsoft 365 called Direct Send, which is designed to make life easier for internal systems. Direct Send allows printers, scanners, and certain line-of-business applications to send email without the full burden of authentication protocols like SPF, DKIM, or DMARC. In theory, this is a convenience: internal devices can communicate without complex configuration. However, recent research shows that attackers have learned to exploit predictable smart host addresses and insufficiently restricted connection rules to send messages that appear to be internal. Because these emails don’t pass through the same external mail filters, they can arrive looking trustworthy—and slip right past both Microsoft Defender and secure email gateways.
Traditional Defenses Fail
Email authentication protocols are the industry’s frontline defenses against phishing. SPF checks whether the sending server’s IP address is allowed to send mail for a given domain. DKIM uses cryptographic signatures to ensure the email content hasn’t been altered. DMARC builds on these, specifying what to do if SPF or DKIM checks fail. But Direct Send operates in a way that sidesteps these checks entirely and there’s nothing for SPF to verify, no DKIM signature to validate, and DMARC sees the message as internally sourced. The end result? An attacker can craft an email that looks exactly like it came from your CEO or IT team, and none of your perimeter defenses will flag it.
Organizations that rely on Direct Send should immediately review whether it’s truly necessary. In many cases, it can be disabled outright, with multifunction devices and apps reconfigured to use authenticated SMTP relay instead. For organizations that must keep Direct Send, it’s crucial to restrict accepted connections to known, trusted IP addresses, for example, those belonging to your corporate network or VPN. Implementing strict DMARC policies set to “reject” can also prevent spoofed messages from being delivered to inboxes. Another effective tactic is header stamping, in which your email system inserts unique identifiers into all legitimate internal messages. Any incoming email that claims to be internal but lacks the proper header can be quarantined or rejected.
You can’t literally “turn off” Direct Send with a single on/off toggle in Microsoft 365, because it’s not a separate feature you enable as it’s simply Microsoft’s term for sending mail from devices or apps directly to Exchange Online without authentication over port 25.
That said, you can effectively block or control it so attackers can’t exploit it. Restrict SMTP relay to trusted sources only, disable SMTP client submission where possible, require authenticated submission instead, block external-to-internal spoofing with mail flow rules.
Staying Ahead
Once the basics are covered, security teams should implement more sophisticated layers of defense. Anomaly detection systems can analyze email headers and flag inconsistencies such as internal-looking emails that originated from unfamiliar IP ranges or countries. Microsoft 365’s mail flow rules can be configured to require TLS encryption and authenticated senders for all messages claiming to be from your own domain. Behavioral monitoring can detect unusual patterns, such as a sudden spike in “internal” messages from a device that normally sends only a handful of emails per week. Restricting Direct Send ingestion to explicitly whitelisted subnets ensures that no external system can masquerade as an internal sender without passing through your controlled entry points.
Even the most advanced technical controls can’t stop every attempt, which makes human awareness critical. Employees should be trained to question internal looking emails that contain unusual requests especially those involving money transfers, credential resets, or sensitive data. Awareness programs should emphasize that internal spoofing is possible and should include examples of how to spot it, such as checking for subtle header discrepancies or unexpected file attachments. Running internal phishing simulations that mimic this tactic can help employees build recognition skills in a safe environment. Finally, a well-documented incident response plan should outline exactly what to do if an employee suspects they’ve received or acted on a spoofed email. Speed matters in these cases, and having predefined steps can limit damage.
Internal email spoofing attacks represent a dangerous evolution in phishing tactics because they target the very foundation of workplace trust. By blending into legitimate internal communications, these attacks bypass many of the defenses organizations rely on. Protecting against them requires a combination of tight technical controls, smart detection systems, and a vigilant, well-trained workforce. The lesson is clear: in today’s threat landscape, even an email from “yourself” can’t be trusted without verification.
In the war against phishing, trust is no longer automatic—it must be verified, every time.
