Your Microsoft 365 security stack may be protecting against external threats while an architectural gap leaves internal email paths unmonitored. Direct send abuse allows attackers to bypass your email security controls using your own trusted infrastructure—routing messages directly to Exchange Online without passing through your third party secure email gateway.

This attack vector exploits a legitimate Microsoft feature that many organizations don't even realize is enabled in their environment. Understanding how direct send abuse works—and how to detect and prevent it—has become essential for security teams protecting Exchange Online deployments.

This article draws from insights shared in Abnormal's ThreatStream webinar on Microsoft 365 Direct Send Abuse. Watch the full recording to see behavioral AI detection in action.

• Direct send is enabled by default in Microsoft 365 and allows unauthenticated email delivery that bypasses third party secure email gateways entirely

• Attackers only need a target's email address to derive the predictable smart host format and send malicious campaigns

• Common attack tactics include QR code attacks in PDF attachments, CAPTCHA-protected phishing pages, and AES encrypted payloads

• Detection requires monitoring for failed SPF and DMARC authentication checks, unusual geographic origins, and the local loopback IP address in email headers

Direct send is a Microsoft feature that allows sending emails directly from a device or application to a recipient's mailbox via the company's specific smart host. The feature operates without requiring a username or password, making it convenient for automated processes and legacy systems.

This capability is enabled by default in Microsoft 365 tenants and doesn't require any third-party or on-premise SMTP servers. Organizations commonly use direct send for MFPs and scanners for scan to email functions—devices that need to send notifications without maintaining authenticated credentials.

The security challenge emerges because attackers have discovered that direct send email traffic bypasses third party secure email gateway inspection entirely. As Jesus Garcia, Solutions Architect at Abnormal, explained during the webinar: "With your email address, they can then figure out the very predictable smart host format, and they can weaponize this information in PowerShell scripts, in Python scripts to send malicious campaigns to your users inboxes."

What makes this particularly dangerous is that attackers don't need to compromise credentials or steal tokens. The smart host format is predictable—all they need is a target email address to begin their campaign.

Over 90% of successful cyberattacks begin with a phishing email, making email security controls foundational to organizational defense. Direct send abuse undermines this foundation by creating an unmonitored path directly into user inboxes.

Third party SEG architecture is designed to inspect mail at the perimeter, filtering threats before they reach Exchange Online. However, direct send traffic never reaches the SEG because these messages route directly to the Exchange Online smart host, bypassing the MX records for the third party secure email gateway.

Compounding this issue, many secure email gateway vendors recommend disabling or bypassing Exchange Online protections like IP reputation, spam filtering, and advanced threat protection. This guidance exists to prevent rejection of non-authenticated emails from legitimate devices—but it creates a significant security gap.

While SEGs effectively block the majority of email threats, the attacks that slip through pose the greatest risk. A single missed email can lead to credential phishing success, resulting in account takeover and significant financial damage. In 2024, BEC losses totaled $2.77 billion across 21,442 reported incidents, accounting for more than 17% of the $16.6 billion in total financial damages reported to the FBI IC3.

Attackers target both private sector organizations and SLED (state, local, education) entities. Direct send abuse enables sophisticated attack chains that leverage your organization's trusted infrastructure against your own users.

The attack process begins with identifying target email addresses—information often readily available through company websites, LinkedIn, or data breaches. From there, attackers derive the predictable smart host format and weaponize this in automated scripts to conduct large-scale campaigns.

QR Code Attacks: Attackers send voicemail notification emails containing PDF attachments with embedded QR codes. Users instinctively trust QR code phishing attacks and scan them without verifying the source or destination.

CAPTCHA-Protected Phishing: After scanning malicious QR codes, users encounter CloudFlare CAPTCHAs protecting the final payload. Traditional URL analysis tools cannot interact with CAPTCHAs like humans can—but users pass them easily, reaching spoofed Microsoft login pages designed for credential harvesting. This technique creates a multi-stage attack chain where each step appears legitimate, culminating in credential theft when users enter their Microsoft credentials on the convincing fake login page.

Encrypted Payloads: In SLED-targeted attacks, malicious actors send emails appearing to come from trusted internal government domains. These contain HTML attachments with AES encrypted payloads that bypass sandboxing and static signature-based scanning entirely.

Calendar Invite Injection: Direct send isn't the only trusted-infrastructure abuse vector attackers exploit. Similar techniques allow malicious content injection directly into user calendars, bypassing traditional email inspection entirely. This demonstrates a broader pattern where attackers identify and weaponize legitimate Microsoft 365 features that route around perimeter security controls.

Attackers strategically layer multiple evasion methods to maximize their success rate against traditional security tools. CAPTCHAs serve as the first defense against automated analysis—security scanners cannot complete the human verification challenge, so they never see the malicious content behind it. When a user scans the QR code and passes the CAPTCHA, they reach a spoofed Microsoft login page that mirrors the legitimate authentication flow, completing the credential phishing cycle before any security tool can intervene.

Encrypted payloads add another evasion layer by defeating signature-based detection entirely. When HTML attachments contain AES encrypted content, sandboxing tools cannot analyze the payload without the decryption key—which attackers provide to victims through social engineering. The encryption appears as random data to automated scanners, passing static analysis checks that would otherwise flag malicious content.

Email spoofing trusted internal domains creates false legitimacy that dramatically increases user compliance. When an email appears to originate from a colleague's address or an internal department, recipients apply less scrutiny than they would to external messages. Combined with direct send's ability to bypass authentication checks, attackers can impersonate virtually any internal sender without triggering standard spoofing alerts—a tactic commonly seen in impersonation attacks.

Security teams should watch for several telltale signs of direct send abuse:

• Failed SPF and DMARC authentication on emails that still reach inboxes

• Unusual geographic origins for internal-appearing emails

• Local loopback IP address (127.0.0.1) in email headers

• Attachments containing URL links to external domains

• QR codes within attachments directing to suspicious destinations

Beyond technical indicators, behavioral analysis reveals attack patterns. Unusual sender authentication statuses where mail delivers despite failing checks warrant investigation. Emails from unexpected locations—like messages ostensibly from internal contacts but originating from foreign countries—should trigger alerts.

During the webinar, Garcia demonstrated this detection capability with a concrete example: the platform flagged an email originating from Germany sent to a user who had never received email from that country before. This geographic anomaly, combined with other behavioral signals, provided high-confidence detection of a direct send abuse attempt that traditional tools would have missed.

The combination of multiple anomalous signals provides high-confidence detection. A single failed authentication check might be a configuration issue, but combined with unusual geography, suspicious attachments, and links to external domains, the pattern becomes clear.

Before implementing prevention controls, assess your organization's legitimate direct send usage:

• Are MFPs configured with credentials, or sending unauthenticated?

• Do legacy applications or services send emails without username/password authentication?

• Which devices and applications currently rely on direct send functionality?

Document all approved direct send sources to establish a baseline. Evaluate whether each use case can migrate to authenticated SMTP—this may require coordination with IT teams managing network devices.

Enforce strict DMARC policies: Move from p=none to p=quarantine or p=reject to handle authentication failures appropriately.

Create transport rules: Route direct send emails through your SEG for inspection, ensuring these messages receive the same scrutiny as external mail.

PowerShell commands can block unauthenticated direct send traffic at the tenant level and force authentication. However, if your organization uses non-authenticated direct send for legitimate purposes, running these commands will cause those emails to get rejected.

Transport rules can reject and delete all direct send emails, but this approach requires careful planning. Disabling functionality without proper coordination creates operational disruptions.

API based architecture provides visibility into all emails delivered to inboxes, regardless of how they arrived. This mailbox layer protection operates independently of upstream SEGs, detecting threats based on behavioral analysis rather than signatures or reputation.

As Ryan Schwartz, Senior Sales Engineer at Abnormal, demonstrated during the webinar, the platform analyzes over 43,000 behavioral signals per email and performs social graphing to understand whether two parties typically communicate at specific times about specific topics. This depth of analysis enables detection that signature-based tools cannot replicate.

The detection methodology incorporates multiple analysis vectors working simultaneously:

• Identity Analysis: Validates sender identity against known communication patterns and authentication signals

• Behavioral Modeling: Establishes baseline communication patterns to identify anomalous messages that deviate from normal behavior

• Header Analysis: Examines email headers for indicators of compromise, including the telltale 127.0.0.1 loopback address

• Communication Pattern Analysis: Leverages social graphing to determine whether the sender and recipient have an established relationship and whether the message content aligns with their typical interactions

• Content Analysis: Evaluates message content for phishing indicators, urgency manipulation, and social engineering tactics

• Payload Analysis: Inspects attachments and embedded content for malicious elements, even when encrypted or obfuscated

This multi-vector approach detects never-before-seen attack tactics that evade signature-based tools entirely.

Organizations attempting to address direct send abuse through manual methods face several obstacles:

Operational disruption risk: PowerShell commands and transport rules that block direct send can break legitimate business processes if not carefully implemented.

IT coordination overhead: Security teams must coordinate with IT departments managing printers, scanners, and legacy applications before making changes.

Incomplete visibility: Transport rules that route mail through SEGs still rely on those SEGs detecting the threat—a challenge when attacks use encrypted payloads or CAPTCHA evasion.

Reactive posture: Creating rules after discovering an attack means the first wave already reached inboxes.

Conduct a complete inventory of devices and applications using direct send before implementing any blocking controls.

Implement defense in depth rather than relying solely on perimeter protection—behavioral AI at the mailbox layer catches what SEGs miss.

Monitor authentication failures actively, treating failed SPF and DMARC checks as potential indicators of abuse rather than configuration noise.

Educate users about QR code risks, emphasizing verification before scanning codes received via email through security awareness training.

Establish baseline communication patterns so anomalies become detectable—behavioral analysis depends on understanding normal behavior first.

Direct send abuse represents a critical gap in traditional email security architecture that many organizations don't realize exists. The feature's legitimate purpose—enabling convenient email delivery from devices and applications—creates an attack vector that bypasses carefully constructed perimeter defenses.

Detection requires behavioral analysis beyond signature-based tools, examining patterns of communication, authentication anomalies, and payload characteristics simultaneously. Prevention ranges from quick configuration changes to architectural overhauls, with the right approach depending on your organization's legitimate direct send usage.

For security teams protecting Microsoft 365 environments, auditing direct send usage and implementing appropriate controls deserves immediate attention. Watch the full technical demonstration to see how behavioral AI detects and remediates these attacks in real-time.