Direct Send Abuse in Phishing Campaigns and How to Disable It

What is the Direct Send Feature?

The Direct Send feature in Exchange Online allows internal devices and applications to send emails directly to users' mailboxes without requiring authentication. It is commonly used by printers or internal systems to send reports or alerts.

How Do Attackers Exploit This Feature in Phishing Campaigns?

The critical vulnerability of Direct Send is that it has no authentication requirements at all.

Attackers only need two publicly available pieces of information:

• The target organization’s domain name

• Valid recipient email addresses within the organization

This information is often easily accessible through:

• Social media profiles

• Official company websites

• Previous data breaches

With this information, attackers can send phishing emails that appear to come from inside the organization because the feature does not require authentication. These emails often include malicious attachments like PDFs or QR code links designed to steal login credentials. Attackers use tools like PowerShell to send these emails via Microsoft 365’s servers.

How to Protect Your Organization?

1) Disable Direct Send

First, install the Exchange Online PowerShell module:

Open PowerShell as Administrator and run:

Set-ExecutionPolicy RemoteSigned -Force
Install-Module -Name PowerShellGet -Force
Install-Module -Name ExchangeOnlineManagement -Force

Import the module:

Import-Module ExchangeOnlineManagement

Connect to Exchange Online:

Connect-ExchangeOnline -UserPrincipalName admin@domain.com

(Replace admin@domain.com with your admin email. If MFA is enabled, you will be prompted to authenticate.)

Disable the feature:

Set-OrganizationConfig -RejectDirectSend $true

After disabling, monitor internal systems and devices to ensure nothing still depends on Direct Send to avoid email disruptions.

Verify the setting:

Get-OrganizationConfig | Select-Object Identity, RejectDirectSend

(If RejectDirectSend : True, the feature is disabled.)

2) Use Authenticated Connectors

If devices or applications need to send emails:

• Enable SMTP AUTH on port 587 so devices authenticate using Microsoft 365 credentials.

• Or use Partner Connectors with a static IP address or TLS certificates to secure the connection.

3) Key Detection Indicators

Security teams should monitor for:

• Emails sent from users to themselves

• PowerShell or command-line user agents in message headers

• Unusual IP addresses from VPNs or foreign locations

• Authentication failures in SPF, DKIM, or DMARC for internal domains

• Mismatched tenant IDs in message headers

Conclusion

The Direct Send feature must be completely disabled. If it is necessary to use it, it should only be done through secure, authenticated connectors. Following these steps—along with monitoring email traffic—helps protect the organization from phishing attacks and tampering.