Spoofed from Within: Hackers Abuse Microsoft’s ‘Direct Send’ to Launch Insider-Looking Phishing Attacks

A little-known email feature buried inside Microsoft 365 is now at the center of a stealthy, fast-spreading phishing campaign targeting dozens of U.S. organizations.

Security researchers at Varonis have uncovered an emerging threat abusing Microsoft’s “Direct Send” functionality—a legitimate feature designed to allow devices like printers and copiers to email users without authentication. But in the wrong hands, it becomes a powerful tool for attackers to impersonate insiders, bypass email defenses, and deliver convincing phishing lures.

More than 70 organizations have already been hit in a campaign that began in May and continues with alarming consistency. “The simplicity of this attack is what makes it so dangerous,” said Michael Solomon, who led forensic analysis at Varonis. “You don’t need credentials, malware, or even access to the target environment. All you need is a public IP and a basic PowerShell script.”

The Exploit: How Direct Send Became a Weapon

In Microsoft 365, Direct Send enables internal devices to email users without login credentials. While that sounds convenient for sending out printer alerts or automated notifications, the system doesn’t authenticate the sender. If an attacker knows a company’s domain and can guess a valid email address (a low bar in most cases), they can send spoofed emails directly into the inboxes of employees—emails that look like they were sent from inside the network.

The Varonis team observed attackers using PowerShell to send internal-looking phishing messages from foreign IP addresses—often with subject lines like “New Missed Fax-msg” or “Caller Left VM Message.” In one case, emails came from a Ukrainian IP address with no associated login activity, raising red flags.

Through the Backdoor: Why Defenses Fail

The phishing emails, which often included QR codes leading to credential-harvesting pages, passed through Microsoft’s infrastructure and were treated as internal-to-internal traffic. That means:

• Microsoft’s spam filters didn’t flag them

• Third-party email gateways missed them

• Authentication checks like SPF, DKIM, and DMARC failed silently

“These emails look like they’re coming from a trusted colleague or internal system,” said Solomon. “It’s the perfect camouflage.”

In forensic samples reviewed by Varonis, messages lacked proper authentication, had spoofed headers, and showed signs of scripting automation—yet they were still delivered. One key indicator: users appeared to be emailing themselves, a telltale sign of automation abuse.

The Lure: QR Codes, Voicemails, and Stolen Credentials

The phishing payload was often a PDF attachment with a QR code. Scanning it redirected users to malicious sites mimicking Microsoft 365 login pages. This tactic, known as “quishing,” is gaining traction as users grow wary of traditional links but remain trusting of QR codes.

Varonis identified phishing domains hosted on Firebase and other dynamic services, making them harder to block with static domain lists.

Why It Matters: Internal Trust, Externally Exploited

Direct Send abuse upends the long-standing assumption that emails coming from inside a network—or appearing to—are safe. This campaign proves otherwise.

“If you’re not inspecting email headers or correlating user agent behavior, these attacks will slip through unnoticed,” said Solomon. “It’s time to retire the idea that ‘internal equals trusted.’”

Defense: How to Shut Down the Direct Send Loophole

Security teams are urged to take immediate action:

• Disable Direct Send if not actively used, via the Exchange Admin Center.

• Implement DMARC with a reject policy to prevent spoofing of internal domains.

• Configure Exchange Online Protection to hard-fail SPF checks.

• Use anti-spoofing policies and quarantine suspicious messages with internal senders that fail authentication.

• Train employees to recognize quishing attacks, especially those using PDF or voicemail-themed lures.

• Enforce MFA and Conditional Access to reduce impact if credentials are compromised.

Indicators of Compromise (IOCs)

IP Range: 139.28.X.XMalicious Domains:

• voice-e091b.firebaseapp[.]com

• mv4lh.bsfff[.]es

Subject Lines Used:

• “New Missed Fax-msg (2 pages)”

• “Caller Left VM Message”

• “Fax Received: Attached document for review REF”

Attachments:

• Filenames with “Fax-msg” or “Listen”

Looking Ahead

As more organizations adopt cloud-first models, attackers are shifting tactics to exploit cloud-native features like Direct Send—tools never intended for hostile use. This campaign signals a broader challenge: threat actors no longer need to breach your perimeter to act like insiders.

“The line between internal and external threats is blurring,” said Solomon. “If your detection strategy still draws that line, you’re playing a dangerous game.”