Back to Blog
Detection and Response

Microsoft 365 Direct Send Abuse

Rapid7
Rapid7
|Last updated on Oct 2, 2025|xx min read
DISCOVER RAPID7 MDR
Microsoft 365 Direct Send Abuse

The Rapid7 MDR team has observed a significant rise in the number of threat actors leveraging a lesser-known feature within Microsoft 365 called Direct Send. Rapid7 encourages organizations to immediately review their authenticated mail flow configurations, specifically related to Microsoft 365 Direct Send, to mitigate potential risk.

What is Direct Send abuse?

Direct Send is a legitimate Microsoft 365 feature that enables devices and applications, such as multifunction printers, to send emails to user mailboxes without requiring authentication or a licensed mailbox. However, Rapid7 is seeing an increase in this feature being actively exploited by threat actors to send spoofed phishing emails. These malicious emails appear to originate from within an organization, effectively bypassing standard security controls and increasing the chance of a successful phishing attack.

What you should do now

Rapid7 has assembled the following list of questions to help your organization reduce its risk:

  1. Does our organization have a legitimate business need for devices or applications to send unauthenticated email directly to Microsoft 365?

  2. If Direct Send is required, have we configured a dedicated inbound connector in Exchange Online that is restricted to only accept mail from a list of known, authorized public IP addresses?

  3. Are the following mechanisms: Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and DMARC records correctly configured to validate our email traffic and prevent spoofing?

  4. Are we educating users on the risks associated with unexpected calendar invites or QR code attachments (quishing attacks)?

Best practices for defending your organization 

To strengthen your defenses against this type of threat, Rapid7 recommends implementing the following:

  • Disable Direct Send by running the Set-OrganizationConfig -RejectDirectSend $true command in Exchange Online PowerShell if the feature is not required.

  • Enable "Reject Direct Send" in the Exchange Admin Center.

  • If Direct Send is required, configure a dedicated inbound connector restricted to authorized public IP addresses.

  • Enforce a static IP address in the SPF record to prevent unwanted send abuse.

  • Implement a strict DMARC policy (e.g., p=reject).

  • Enforce "SPF hardfail" within Exchange Online Protection (EOP).

  • Use Anti-Spoofing policies.

  • Flag unauthenticated internal emails for review or quarantine.

  • Enforce MFA on all users and have Conditional Access Policies in place in case a user's credentials are stolen.

  • Educate users on the risks associated with QR code attachments (quishing attacks) and to be vigilant about unexpected calendar invites before accepting them.

How Rapid7 is supporting customers

Due to the inherent design of the Direct Send feature, telemetry is not available for direct detection. However, detection opportunities exist through subsequent login activity. Rapid7’s Threat Intelligence and MDR teams have launched targeted hunts and continue to refine detection rules to identify these attacks as early as possible.

LinkedInFacebookXBluesky

Article Tags

Rapid7
Rapid7
Author Posts

Related blog posts