Scammers Use Microsoft 365 Direct Send to Spoof Emails Targeting US Firms

Scammers are exploiting Microsoft 365 Direct Send to spoof internal emails targeting US firms bypassing security filters with phishing attacks using fake voicemails and QR codes.

Cyber security researchers at Varonis Threat Labs have exposed a sophisticated new phishing campaign that exploits a little-known feature within Microsoft 365 to deliver malicious emails.

This attack, which started in May 2025 and has been consistently active, has already targeted over 70 organizations, with a significant majority, 95%, being US-based organizations.

The unique aspect of this campaign is its ability to “spoof internal users without ever needing to compromise an account,” making it particularly difficult for traditional email security systems to detect, researchers noted in the blog post shared with Hackread.com.

The campaign leverages Microsoft 365’s Direct Send feature, designed for internal devices like printers to send emails without requiring user authentication. According to Varonis, attackers are abusing this feature.

Tom Barnea, from Varonis Threat Labs, highlighted in the report that this method works because “no login or credentials are required.” Threat actors simply need a few publicly available details, such as a company’s domain and internal email address formats, which are often easy to guess.

By using Direct Send, criminals can craft emails that appear to originate from within an organization, even though they are sent from an external source. This allows the malicious messages to bypass common email security checks, as they are often treated by Microsoft’s own filters and third-party solutions as legitimate internal communications.

Furthermore, Varonis observed that these spoofed emails often mimic voicemail notifications, containing a PDF attachment with a QR code. Scanning this QR code directs victims to a fake Microsoft 365 login page designed to steal credentials.

Organizations need to be vigilant to detect this new form of attack. Varonis advises checking email message headers for signs like external IP addresses sending to a Microsoft 365 “smart host” (e.g., tenantname.mail.protection.outlook.com), or failures in authentication checks like SPF, DKIM, or DMARC for internal domains. Behavioural clues, such as emails sent from a users to themselves or messages originating from unusual geographical locations without any corresponding login activity, are also strong indicators.

To prevent falling victim, Varonis recommends enabling the Reject Direct Send setting in the Exchange Admin Center and implementing a strict DMARC policy. User education is key, particularly warning staff about the dangers of QR code attachments in Quishing (QR Phishing) attacks.

Finally, enforcing Multi-Factor Authentication (MFA) for all users and having Conditional Access Policies in place can protect accounts even if credentials are stolen through these sophisticated phishing attempts.