Security experts have identified a phishing campaign that leverages the Microsoft 365 Direct Send feature, impacting over 70 organizations. The Direct Send feature, designed for internal email communication, does not require authentication, allowing attackers to send spoofed emails using publicly available data. Since May, attackers have been using PowerShell to manipulate this feature, delivering phishing messages that evade standard security controls. Victims have primarily been US-based organizations, with alerts of abnormal behaviors linked to unusual geolocations, indicating the sophistication of the attackers who can exploit these vulnerabilities without needing to access compromised accounts directly.
In one case, the alert was triggered by a Ukrainian IP address, an unexpected and unusual location for the affected tenant.
The feature intended for internal use only does not require authentication, allowing attackers to spoof internal users without compromising accounts.
Attackers have been taking advantage since May to deliver phishing emails with no need for credentials, tokens, or access to the tenant.
Microsoft's filtering mechanisms may treat these messages as internal-to-internal traffic, bypassing traditional email security controls.
Collection
[
|
...
]