August 8, 2025
Author: Kat Calejo
If you got an email from your CEO, your finance lead, or a teammate you’ve known for years, you’d probably trust it. That’s exactly what attackers are counting on.
A new phishing tactic is using Microsoft 365’s Direct Send feature to make emails look like they’re coming from inside your organization, even though they’re not.
And because this isn’t a “bug” but a built-in function of Microsoft 365, it’s slipping past traditional defenses and landing in your primary inboxes (and junk folders) with alarming ease.
This isn’t just a technical problem. It’s a trust problem. When employees can’t tell whether an email from “inside” is real, every request becomes a potential risk, and attackers know it.
In this blog, we’re going to break this down in a way that actually makes sense, and help you understand how to protect yourself before it’s too late.
But first…
What is Direct Send?
Direct Send is a Microsoft 365 feature that was designed for convenience. It lets certain devices and applications (like multifunction printers or older software) send emails to people inside your organization without needing a username or password.
In theory, it’s handy. That office scanner can email you a PDF without logging into an account. That legacy application can fire off alerts without extra configuration.
The problem? Attackers have figured out they can use the same pathway to make an email look like it came from inside your company without ever breaking into an actual account. All they need is access to the right mail relay, and they can send messages that appear internal, bypassing your many security checks.
Now that we’ve covered that, let’s help you understand what’s going on right now, and why it’s so important to stay ahead of it.
What’s going on right now
Cybercriminals are taking advantage of a loophole in Microsoft 365’s Direct Send feature to send emails that look like they’re coming from inside your company. No stolen passwords. No hacked accounts. Just emails that appear internal and, to the average employee, trustworthy.
Here’s how it works: Direct Send is meant for things like office printers or legacy apps that need to send emails without logging in.
But attackers have figured out they can abuse it by routing their phishing messages through unsecured mail relays (the middleman for your emails. A server that helps pass messages along from one system to another to make sure they land where they’re supposed to), then into Microsoft 365 using your company’s domain.
Why does this matter? Hackers have figured out how to send messages that look like they came from your own team, but are actually from an external source.
These emails can slip past built-in filters, sometimes landing in junk folders but still accessible to employees.
The lures are business-themed and believable, like a task reminder, a wire transfer request to a vendor, or a voicemail notification, which makes them more likely to be opened. And once that happens, credentials, sensitive data, and even your company’s reputation are on the line.
Why you should (really) care
When an email looks like it’s from your own organization, most people’s guard drops.
After all, it’s not some random outside address; it’s “from” a colleague, a manager, or even the CEO. That’s exactly why this tactic works so well.
These fake internal emails can easily trick employees into clicking a malicious link, handing over their credentials, or sharing sensitive information. And because the message appears internal, your team may not think twice about following the instructions.
“The danger with this type of phishing is it’s not taking advantage of a bug; it’s taking advantage of trust,” says Jose Sandoval, System Administrator at NTS. “Direct Send is a normal Microsoft 365 feature, but attackers can exploit it to make emails look like they’re from inside your organization. That means people let their guard down because it doesn’t look like it’s coming from the outside.”
This isn’t just an IT issue. A single successful phish can lead to a full-blown data breach, financial loss, compliance violations, and a hit to your company’s reputation.
At the end of the day, clients and partners won’t care whether it was an “internal” exploit or an external hack; they see your brand name attached to a compromise, and trust takes the hit.
This is a business risk with bottom-line consequences. If leadership isn’t paying attention, the cost won’t just be in IT hours. It’ll be in lost revenue, damaged relationships, and regulatory headaches.
What makes this so dangerous
The real danger here is that nothing is “broken” in the traditional sense. Direct Send is doing exactly what it was designed to do, like allow certain devices and applications to send emails internally without logging in.
There’s no “vulnerability” to patch, no CVE number to track, and no emergency update coming from Microsoft.
That means the usual playbook for fixing security issues doesn’t apply. Attackers are abusing a legitimate feature, which makes their activity blend in with normal traffic. Security tools can flag these messages as suspicious, but they still get delivered– sometimes straight to junk folders, sometimes to inboxes– where a curious click is all it takes to set the trap.
The absence of a clear “bug” also means this risk can sit unnoticed for months. By the time someone realizes what’s happening, the attacker may have already harvested credentials, accessed sensitive systems, or launched more attacks using your organization’s identity as cover.
What you can do about it right now
You can’t wait for Microsoft to “fix” this because it’s not exactly broken.
The only real defense is tightening your own configuration.
Start by figuring out if your organization even uses Direct Send. If you do, lock it down so only approved devices and apps can use it.
If Direct Send feels a little too open-door for comfort, there are safer ways to send automated emails. We recommend tools like SMTP2GO when you need more control, better logging, and real authentication without giving attackers an easy in. We’ve helped clients make the switch when Direct Send just isn’t worth the risk.
From there, monitor your traffic. Look out for unauthenticated messages that look internal, and don’t assume SPF, DKIM, or DMARC will catch them because they probably won’t. These emails slip through the cracks those tools don’t cover.
The goal is to cut off the attacker’s ability to blend in with legitimate internal messages. That means closing the open doors, watching the ones that have to stay open, and making sure the people relying on email every day know what a suspicious “internal” message might look like.
This is one of those risks where a little proactive effort now can save you a lot of damage control later.
Don’t let a feature become a backdoor
Direct Send isn’t a vulnerability you can patch.
It’s a built-in feature that attackers are more than happy to abuse. And when those spoofed emails look like they came from your own people, the stakes go way beyond a single phishing click. Internal trust erodes. Operations slow down. And one “safe-looking” email can turn into a costly breach.
The good news? You don’t have to wait for Microsoft to change the rules.
With the right configurations, proactive monitoring, and a strategic security partner, you can close this gap before it’s exploited. At NTS, we help businesses like yours spot these blind spots, lock them down, and keep email ( internal and external) a channel your team can actually trust.
If you want to make sure Direct Send isn’t quietly working against you, all it takes is 15 minutes.
We’ll review your setup, identify the risks, and put a plan in place to shut them down for good. Contact us to schedule your complimentary session.