Email remains the most targeted business communication channel — and Microsoft 365 sits at the center of that reality for countless organizations. While enterprises invest heavily in secure email gateways and phishing awareness training, attackers are finding new ways to exploit Microsoft’s own infrastructure to bypass defenses.

Two techniques are rapidly gaining traction: Direct Send abuse and Direct Delivery bypass. Both methods allow threat actors to make phishing emails appear as if they originated from inside the organization — eroding trust, slipping past filters, and putting employees directly in the line of fire.

What makes these attacks especially dangerous is that they don’t require compromised credentials or advanced malware. Instead, they take advantage of mail flow design decisions, configuration gaps, and the implicit trust users place in “internal” messages.

In this blog, we’ll break down how each attack works, why it matters, and the practical steps you can take to mitigate the risk — from disabling vulnerable relay features to tightening authentication and connector policies.

1️⃣ Direct Send Vulnerability

What it is & how it works:

Direct Send is a Microsoft 365 / Exchange Online feature designed for legitimate internal uses such as printers, scanners, or legacy applications that need to send mail to internal recipients without full authentication. Attackers exploit this pathway by sending mail through Microsoft’s infrastructure, making their spoofed messages appear as if they are coming from inside the organization. All they need is:

• A recipient’s internal email address
• The accepted domain/tenant name
• The Microsoft Direct Send endpoint for that tenant

No credentials are required.

How attackers use it:

• Spoofing executives, HR, or finance users to make phishing appear internal.
• Delivering business-themed lures (invoices, payroll, service updates).
• Embedding malicious attachments or QR codes that lead to phishing pages.
• Bypassing Microsoft Defender and many third-party secure email gateways, since messages originate from Microsoft’s ecosystem.

Risks:

• Recipients trust messages that look internal, making them more likely to click or act.
• Authentication checks may fail silently or be ignored due to exceptions in mail flow.
• Detection is difficult: headers often show valid internal domains, with origin IPs tied to Microsoft.

Remediation:

• Disable Direct Send by enabling the RejectDirectSend setting.
• Audit historical message traces for anonymous or suspicious “internal” senders.
• Implement transport rules to block or quarantine spoofed internal addresses from external origins.
• Restrict inbound connectors to known IPs or certificates only.

2️⃣ Direct Delivery (Gateway Bypass)

What it is & how it works:

Direct Delivery occurs when attackers send messages straight to Microsoft 365 tenant endpoints, bypassing the perimeter email gateway. If MX records point directly to Microsoft, or if connectors are misconfigured, external messages may slip past filtering and land directly in inboxes.

How attackers use it:

• Sending spoofed messages that look internal but originate externally.
• Exploiting misconfigured connectors, open relays, or overly permissive transport rules.
• Leveraging weak or misaligned authentication (SPF “~all”, missing DKIM, or no DMARC policy).

Risks:

• Bypasses the enterprise’s external secure email gateway or third-party filtering.
• Exploits “implicit trust” in messages that appear internal.
• Creates blind spots where traditional logging or content scanning may not apply.

Remediation:

• Enforce SPF, DKIM, and DMARC with alignment and strong policies (p=reject where feasible).
• Tighten connectors and inbound MX configurations to allow only known/trusted traffic.
• Use mail flow rules to detect and block external traffic spoofing internal domains.
• Monitor for anomalies in authentication headers or unusual internal-looking traffic.

🔧 Unified Defense Recommendations

• Disable Direct Send if it’s not required.
• Lock down inbound connectors and MX endpoints with IP restrictions and certificates.
• Adopt strong authentication with SPF hard fails, aligned DKIM, and DMARC enforcement.
• Create transport rules to flag or quarantine emails that appear internal but originate externally.
• Enhance monitoring with hunts for suspicious auth headers or anomalous senders.
• Educate users on the risk of “internal-looking” phishing and include it in phishing simulations.
  

✅ Conclusion & Call to Action

Direct Send and Direct Delivery attacks are reminders that even trusted platforms like Microsoft 365 can be weaponized by threat actors. What makes these attacks so dangerous is not their complexity, but how they exploit mail flow design decisions, misconfigurations, and the trust employees place in internal communications.

For small and midsized businesses, the stakes are even higher. Without dedicated security teams or advanced defenses, SMBs often become prime targets for attackers who know these gaps exist. The good news is that practical, proven steps — disabling unnecessary relay paths, tightening MX and connector configurations, and enforcing strong authentication (SPF, DKIM, DMARC) — can drastically reduce exposure.

At Poole Technology Solutions, we specialize in helping SMBs secure their email ecosystems and build resilience against these exact threats. From assessing your Microsoft 365 configurations to implementing industry best practices in email authentication, we provide the expertise and hands-on support to protect your brand, your employees, and your customers.

👉 If you want to ensure your Microsoft 365 environment is not the weakest link, connect with us at Poole Technology Solutions. Let’s build a secure, trusted foundation for your communications.