Phishing scams are getting smarter—and scarier. A new report from cybersecurity firm Proofpoint reveals how attackers are abusing a seemingly harmless Microsoft 365 feature, known as Direct Send, to make malicious emails appear as if they’re coming from inside your organization.
This technique allows hackers to bypass traditional security filters and exploit employees’ natural trust in internal communications. If your inbox is flooded with tasks, voicemails, or wire transfer requests, you might want to take a second look before clicking.
How the Exploit Works
Direct Send is typically used by devices like printers or scanners to email documents within a company—no login or password required. But hackers have found a way to weaponize it. Here’s a simplified breakdown of the attack chain:
- The attacker connects to a server running Windows Server 2022.
- They send emails through unsecured third-party SMTP relays, exploiting open ports (8008, 8010, 8015).
- These emails are crafted to look like internal messages—complete with business-like subjects such as “task reminders” or “wire authorizations.”
- Even worse, the infrastructure uses valid-looking SSL certificates from DigiCert to appear legitimate.
Although Microsoft 365 may flag some of these emails as suspicious and route them to the junk folder, that’s often not enough. Many users still check junk folders and could easily fall for these convincingly spoofed messages.
Why This Matters: Cloud Services as Attack Vectors
This isn’t just another phishing campaign—it’s part of a broader trend of cybercriminals leveraging trusted cloud platforms like Microsoft 365, Google Workspace, and others to carry out attacks.
As the Proofpoint report warns, “The abuse of Microsoft 365’s Direct Send feature is not just a technical flaw. It’s a strategic risk to an organization’s trust and reputation.”
What makes this threat particularly dangerous is that it doesn’t rely on breaking into systems—it uses legitimate tools in unintended ways. That makes it harder to detect and easier to scale.
How to Defend Your Organization
Fortunately, there are steps companies can take to protect themselves:
- Audit your email infrastructure for any unsecured or unused SMTP relays.
- Disable Direct Send if it’s not actively used in your environment.
- Enforce email authentication protocols like SPF, DKIM, and DMARC to prevent spoofing.
- Educate employees to recognize phishing red flags—even in seemingly “internal” emails.
And if you’re relying on security appliances that haven’t been updated in a while, now’s a good time to recheck those SSL certificates and port settings. Expired or self-signed certs are easy targets for attackers.
Zooming Out: The Bigger Picture
This incident echoes a growing cybersecurity challenge: attackers increasingly exploiting the gray areas of modern cloud tools. Just as we’ve seen with OAuth abuse or Google Forms-based phishing, the line between helpful feature and security flaw is getting thinner.
Organizations can no longer rely solely on firewalls and anti-virus software—they need a layered defense strategy that includes behavioral analysis, employee training, and regular configuration audits.
