Email remains a primary entry point for credential theft and financial fraud, which is why security teams invest heavily in perimeter defenses, carefully routing email through secure email gateway solutions to inspect every message before it reaches employee inboxes. But what if attackers discovered a Microsoft-sanctioned feature that lets them bypass these protections entirely? That's exactly what's happening with the Microsoft Direct Send vulnerability.

Attackers have identified that this legitimate Microsoft 365 feature, designed for printers and internal applications, creates a direct pathway to user inboxes that circumvents third-party security inspection completely.

This article draws from insights shared in Abnormal's ThreatStream webinar series on Microsoft 365 Direct Send abuse. Watch the full webinar to see live demonstrations of these attacks and detection strategies.

• Direct Send is a default-enabled Microsoft feature allowing unauthenticated email delivery via predictable smart host formats

• Attackers weaponize Direct Send to bypass secure email gateway inspection entirely

• Common attack vectors include QR code phishing and AES encrypted payloads that evade traditional scanning

• Behavioral AI detection operates independently of upstream email security, catching threats at the mailbox layer

Direct Send is a Microsoft feature that allows the sending of emails directly from a device or application to a recipient's mailbox via the company's specific smart host without requiring username or password authentication. This feature comes enabled by default in Exchange Online environments and doesn't require third-party or on-premise SMTP servers.

The feature exists for legitimate operational reasons. Organizations commonly use it for MFP devices and scanners that need scan to email functionality. These devices often lack the capability to authenticate with credentials, making Direct Send a practical solution for basic email workflows.

It's important to clarify what this "vulnerability" actually represents. This isn't a CVE-level security flaw or a bug Microsoft needs to patch. Instead, it's a misconfiguration and feature abuse issue where attackers exploit legitimate functionality for malicious purposes. The predictable smart host format means anyone with a target email address can determine exactly how to send unauthenticated messages into an organization's environment.

Third-party secure email gateway vendors often recommend disabling or bypassing Exchange Online protections like IP reputation, spam filtering, and advanced threat protection to accommodate these unauthenticated internal messages. This creates the gap attackers now exploit.

Organizations that route email through perimeter gateways have no visibility into Direct Send traffic reaching inboxes, creating a fundamental blind spot in their security architecture. When organizations deploy a secure email gateway at the perimeter, they expect all inbound mail to flow through inspection before reaching Exchange Online. Direct Send traffic never touches the SEG.

Jesus Garcia, Solutions Architect at Abnormal, explained during the webinar: "They have figured out that direct send email traffic isn't getting inspected by the third party secure email gateway. And with most of these Exchange Online protections disabled or bypassed, the emails unfortunately just flow directly to the user's inbox."

What makes Direct Send abuse particularly dangerous is that attackers achieve this without having to compromise a username and password, without having to steal a token. This distinction matters because traditional detection models are keyed to compromised credentials and account takeover indicators. When attackers exploit legitimate Microsoft infrastructure without any credential theft, these detection approaches miss the threat entirely.

The attack surface spans multiple threat categories. Credential phishing campaigns use Direct Send to deliver convincing internal messages that prompt users to enter passwords. Payment fraud schemes impersonate executives or vendors to redirect payments. Account takeover attempts use the trusted delivery mechanism to establish initial access before lateral movement.

Both private sector organizations and SLED (state, local, education) entities face these threats. Attackers recognize that government domains carry particular trust weight, making Direct Send domain spoofing especially effective when targeting these organizations.

Attackers weaponize Direct Send by combining minimal reconnaissance with sophisticated payload delivery techniques that evade traditional security controls.

Attackers need minimal information to launch Direct Send attacks. Garcia noted in the webinar: "All they really need is your email address. With your email address, they can then figure out the very predictable smart host format, and they can weaponize this information in PowerShell scripts, in Python scripts to send malicious campaigns to your users inboxes."

The smart host format follows Microsoft's documented conventions, making reconnaissance trivial. The barrier to entry for these attacks is functionally zero—any attacker with basic scripting knowledge can determine the exact smart host address from a single email address and begin sending malicious campaigns within minutes. Attackers exploit the same trusted Microsoft infrastructure that is supposed to be used by scanners and MFP devices—all without needing to compromise accounts or steal authentication tokens.

Current campaigns leverage several sophisticated techniques to maximize success rates:

QR code attacks arrive as PDF attachments disguised as voicemail notifications. Users instinctively reach for their phones to scan codes without verifying the source. Traditional email security tools struggle because the malicious URL isn't present as text in the message body.

AES encrypted payloads embedded in HTML attachments defeat sandboxing and static signature scanning entirely. The encrypted content decrypts only when a user opens the file, revealing the true malicious intent. Consider this question about your own environment: if an attacker sends an AES encrypted payload, how effective are your sandboxing and static signature tools going to be? The answer exposes a fundamental limitation of content-inspection approaches.

CAPTCHA-protected phishing pages block automated URL analysis tools while allowing human victims to proceed. Attackers use services like CloudFlare CAPTCHA to selectively hide payloads from security scanners.

Calendar invite attacks represent an adjacent threat vector that Garcia noted "comes up a lot" in Direct Send abuse. Attackers disguise malicious HTML files as calendar invites, exploiting users' familiarity with meeting-related notifications to increase click rates.

One documented campaign delivered voicemail notification emails with QR codes leading to CloudFlare CAPTCHA-protected pages. Users who passed the CAPTCHA test encountered spoofed Microsoft login pages designed to harvest credentials. The familiar login interface exploited users' muscle memory, making the social engineering highly effective.

A SLED-targeted attack demonstrated the internal trust exploitation potential. Attackers used Direct Send to make emails appear as if originating from trusted internal government domains. These messages contained HTML attachments with encrypted payloads that traditional scanning couldn't analyze. SLED organizations already face elevated email-based threats due to the sensitive data they manage and the public trust they hold. Because government agencies rely heavily on email for constituent communication, Direct Send spoofing of government domains compounds this risk by exploiting the inherent credibility these domains carry in citizen interactions.

The encryption approach deserves specific attention. Sandboxing tools that detonate suspicious attachments in isolated environments cannot decrypt AES-protected content without the correct keys. Static signature scanning fails because the encrypted payload matches no known threat patterns. Attackers understand these detection limitations and architect campaigns specifically to exploit them.

These examples reinforce a consistent pattern: whether the objective is credential harvesting, payment redirection, or initial access for account takeover, email remains the delivery mechanism attackers trust most to reach their targets.

Traditional defenses fail because Direct Send exploits an architectural blind spot that perimeter-based security was never designed to cover.

Organizations relying solely on perimeter-based email security face these architectural limitations:

• Traffic Routing Bypass: Direct Send messages never touch the SEG, making perimeter inspection irrelevant.

• Disabled Native Protections: Vendor best practices often recommend disabling Exchange Online security features.

• Encrypted Payload Evasion: AES encryption defeats content inspection technologies.

• CAPTCHA Interference: Automated URL analysis cannot interact with human verification challenges.

• Legitimate Use Conflicts: Blocking Direct Send breaks operational MFP and scanner workflows.

Identifying Direct Send abuse requires analyzing specific indicators that distinguish malicious traffic from legitimate internal messages.

Authentication failures on delivered mail represent a primary signal. Security teams may find it helpful to monitor for failing SPF and DMARC checks on emails that successfully reach inboxes. Legitimate Direct Send from properly configured devices should pass basic authentication, while attacker-originated messages typically fail these checks.

Local loopback IP filtering helps isolate Direct Send traffic specifically. Filtering by 127.0.0.1 can help identify messages delivered through this mechanism, allowing teams to analyze patterns for anomalies.

Behavioral signal analysis reveals contextual abnormalities that static rules miss. Behavioral AI platforms analyze communication patterns to determine whether two parties typically communicate at specific times about certain topics, and track previously used domains to identify anomalies even when attackers have aged a domain for months before deploying it. To illustrate the depth of this analysis,

Abnormal evaluates approximately 43,000 behavioral signals for a single email—examining sender-recipient relationships, timing patterns, content anomalies, and contextual signals that static rules cannot capture. Unusual sender geography, attachment-URL combinations where link destinations mismatch sender domains, and communication pattern deviations can all indicate potential abuse.

These detection approaches work regardless of whether organizations use Microsoft Defender, third-party SIEM solutions, or behavioral AI platforms. The key is implementing monitoring that covers the mailbox layer rather than solely relying on perimeter visibility.

Organizations can execute PowerShell commands to block unauthenticated Direct Send traffic at the tenant level and force authentication requirements. This approach eliminates the attack vector entirely but carries operational consequences.

Critical Consideration: Enabling these controls will break legitimate MFP and scanner scan to email functionality. Organizations should inventory all devices using unauthenticated email before implementing, then either configure credentials or accept the loss of functionality.

Creating transport rules to reject, delete, or reroute Direct Send messages offers granular control. Some administrators route Direct Send traffic through their SEG for inspection. Others implement blanket rejection policies.

Moving DMARC policy from "none" to "quarantine" or "reject" can help prevent messages failing authentication from reaching inboxes. This represents email security best practice regardless of Direct Send concerns, though it requires completing the DMARC implementation journey first.

Before implementing blanket blocks, evaluating legitimate Direct Send use cases in your environment can help inform the right approach. The core tension organizations face is clear: blocking Direct Send eliminates the attack vector but breaks operational workflows, while allowing it maintains functionality but leaves a security gap. Behavioral AI solutions can help resolve this tradeoff by detecting abuse without requiring configuration changes that disrupt legitimate device functionality.

These approaches analyze email at the mailbox layer regardless of delivery path, allowing organizations to maintain MFP and scanner workflows while still identifying and remediating malicious Direct Send traffic before it reaches end users.

Direct Send abuse represents a significant misconfiguration-driven threat requiring defense-in-depth strategies. Organizations cannot rely solely on perimeter email security when attackers exploit legitimate Microsoft infrastructure to bypass inspection entirely.

Ryan Schwartz, Senior Manager of Product Marketing at Abnormal, emphasized during the webinar why behavioral detection matters for emerging threats like Direct Send: "The way to be prepared for that is behavioral AI. We are looking at the behaviors surrounding them rather than just the typical indicators of compromise because oftentimes these are never before seen attack types or attack tactics."

This distinction explains why pattern-matching defenses fail against Direct Send abuse. Traditional security tools rely on known signatures, recognized malicious domains, and previously cataloged threat patterns. When attackers deploy novel delivery mechanisms through trusted Microsoft infrastructure, these historical patterns simply don't exist yet. Behavioral AI addresses this gap by analyzing whether the communication itself makes sense—examining sender-recipient relationships, timing anomalies, and contextual signals—rather than waiting for a threat to be classified and added to a blocklist.

Behavioral AI solutions operating at the mailbox layer provide detection capabilities that function independently of delivery path and upstream security configurations. This approach catches Direct Send abuse without requiring the global configuration changes that disrupt legitimate business operations.

Ready to see live demonstrations of Direct Send attacks and detection strategies? Watch the full webinar to learn how behavioral AI detects these threats at the mailbox layer.