Critical Misconfiguration: M365 Direct Send Exposes Tenants to Untraceable Internal Phishing
Following recent security assessments, the Echelon STaaS team (Security Team as a Service) has identified an immediate and critical misconfiguration within many Microsoft 365 environments that allows threat actors to execute devastating internal phishing attacks.
This vulnerability leverages a legitimate M365 feature called Direct Send (Scenario 1) and is currently being actively abused across various sectors. For organizations using Microsoft 365, it's necessary to take immediate action.
The Threat: Bypassing Security with Direct Send Abuse
Microsoft 365’s Direct Send feature is designed to allow applications, network devices (like multifunction printers), and services to relay emails directly to user mailboxes without needing full sender authentication or a licensed mailbox. While intended for convenience, a common misconfiguration of this feature creates a critical vulnerability:
How Threat Actors Exploit This:
Spoofing Internal Senders:
An external attacker connects directly to a tenant's M365 SMTP endpoint (e.g., tenantname.mail.protection.outlook.com).
Bypassing Perimeter Defense:
Because the email is being routed through Microsoft’s infrastructure and targeting an internal mailbox, the message is often treated as internal traffic.
This causes the email to bypass critical perimeter defenses like SPF, DKIM, and DMARC checks, or other third-party security layers designed to vet external mail.
Untraceable Phishing:
The attacker can successfully send emails that appear to originate from any internal user, from the CEO to an HR representative, without ever compromising an internal account.
Impact:
This technique delivers hyper-convincing phishing lures, including credential harvesting pages or malware payloads, directly to employees inboxes, leading to credential theft, Business Email Compromise (BEC), and fraud.
This is a configuration error that gives attackers a trusted path straight into your organization's inboxes.
Our PoC and Immediate Remediation Steps
1. The first step in addressing this risk is validation.
The Echelon STaaS team has developed a small, non-malicious Proof-of-Concept (PoC) script that replicates an unauthenticated external sender attempting to connect to your Direct Send endpoint and spoof an internal user.
We strongly recommend running this PoC against your domain to definitively confirm your exposure. Contact us to receive the necessary validation tools and guidance.
2. Immediate Remediation: Disabling or Restricting Direct Send
If you have confirmed that your M365 tenant is exposed, the primary method of mitigation is to either disable the feature entirely or implement strict controls.
Option A: Disable Direct Send (Most Secure)
This is the recommended action if you do not have devices (like multifunction printers) or applications relying on the legacy Direct Send feature. This prevents any unauthenticated external mail from using your M365 smart host endpoint.
Use PowerShell to connect to Exchange Online and run the following command:
Option B: Restrict with Inbound Connector (If Required)
If business necessity demands the use of Direct Send, you must strictly restrict its use to known, authorized IP addresses.
- Identify Authorized IPs: Gather all public IP addresses that legitimately send mail using Direct Send (e.g., your office's external IP address).
- Create a Dedicated Connector: In the Exchange Admin Center (EAC), create a new inbound connector specifically for your organization's environment.
- Restrict Scope: Configure this new connector to only accept mail from the authorized list of public IP addresses identified in Step 1.
- Enforce Authentication: While not strictly Direct Send, we recommend transitioning as many devices as possible to use authenticated SMTP relay instead of unauthenticated Direct Send.
For more detailed information on this configuration and other related M365 security hardening steps, please be sure to reach out with any questions you may have.
Echelon STaaS: Beyond the Quick Fix
Finding and patching a critical configuration error like the M365 Direct Send vulnerability is only the first step. The existence of this gap highlights the need for continuous, proactive security assurance.
The Role of Echelon STaaS in Proactive Defense
Our Security Team as a Service (STaaS) model is specifically designed to address these silent configuration risks before they are exploited. We provide your organization with the expertise, tooling, and continuous monitoring necessary to evolve your security posture, acting as an extension of your existing team.
With Echelon STaaS, we help you:
- Continuous Configuration Audits: Proactively audit complex environments like M365, Azure, and AWS for misconfigurations, excessive permissions, and unused legacy features that become attack vectors.
- External Attack Surface Management (EASM): Continuously monitor your public-facing infrastructure (like M365 endpoints) to immediately spot new exposures or unintended information disclosure.
- Proactive Threat Hunting: Move beyond simple logging and actively hunt for indicators of compromise (IOCs) and emerging attack techniques that bypass standard security tools.
- Formalize and Document: Create policies and procedures that will help enforce better security hygiene throughout the organization.
This Direct Send misconfiguration is a perfect example of a high-impact risk that continuous security oversight can eliminate.
If you are concerned about your M365 exposure or need expert guidance on hardening your cloud configurations, please contact us immediately to engage our STaaS team.