Direct Send Abuse

6 August 2025

Overview

Mimecast threat research team continues to observe malicious email campaigns exploiting Microsoft 365's Direct Send functionality. This attack vector allows threat actors to send emails that appear to come from internal users without requiring authentication or account compromise. The technique has gained traction as it effectively bypasses perimeter security solutions and leverages the inherent trust users place in internal communications. This emerging threat represents a critical gap in email security defenses for organizations using Microsoft 365.

 

Attack Methodology

Direct Send is a legitimate Microsoft 365 feature designed to allow devices, applications, and third-party services to send emails directly to users' mailboxes without authentication. Attackers exploit this functionality by connecting to Microsoft 365's SMTP endpoint and sending emails that spoof internal senders. The attack process involves three key steps:

1. Attackers identify valid organizational domains and recipient email addresses through reconnaissance.
2. Emails are crafted to impersonate trusted internal users or departments, often mimicking common business communications like IT notifications or HR announcements.
3. These spoofed emails are delivered directly through Microsoft 365's infrastructure, where they appear as internally routed messages.

Unlike traditional email spoofing, Direct Send abuse requires no authentication credentials, username, password, or token. Attackers only need knowledge of the target organization's domain and valid recipient addresses. This technique is particularly effective because the emails traverse Microsoft 365's trusted infrastructure, making them appear legitimate to both security systems and end users. The lack of authentication requirements means attackers can impersonate any internal user without needing to compromise legitimate accounts.

 

Campaign Information

Organizations face significant exposure to credential theft, business email compromise, and malware delivery through this attack vector. The implicit trust associated with internal communications increases the likelihood of successful user interaction with malicious content.

Recent campaigns have demonstrated the effectiveness of this technique, with threat actors successfully harvesting credentials and establishing footholds for lateral movement within targeted environments. The abuse of Direct Send has been particularly successful with organizations that rely heavily on email communications for business operations.

Although direct send abuse emails do not traverse Mimecast, recent campaigns observed contain PDF, DOCX attachments with QR Codes or heavily obfuscated HTML attachments all leading to credential harvesting phishing pages.

Analysis of the attached PDF and DOC files reveals that the threat actors are leveraging automated tooling to generate convincing business-themed lures as part of a phishing campaign exploiting Microsoft’s Direct Send feature. The PDF attachments were predominantly created using wkhtmltopdf 0.12.6 (Qt 4.8.7), a tool commonly used to convert HTML templates into PDFs at scale, while the DOCX files were produced with Microsoft Office Word 2007, a legacy version that supports features often abused in phishing, such as file recovery prompts and macro compatibility. The consistent use of these tools, along with the rapid, same-day creation of multiple themed documents, indicates a coordinated and template-driven approach designed to maximize delivery and bypass traditional security controls.

 

HTML Analysis

An interesting example of an HTML attachment shows heavy obfuscation using homoglyph obfuscation. At first glance, the code uses a single variable repeatedly, but it defines and manipulates more than a hundred variables, each named with three visually similar UTF-8 (Unicode) characters. This technique, known as Unicode or homoglyph obfuscation, makes manual analysis extremely challenging and can defeat many automated detection tools. The script avoids any readable strings or direct assignments. Instead, it uses a series of JavaScript quirks and type coercion tricks—such as !1+[] (which yields the string "false"), []+{} (which produces "[object Object]"), and "foo"&"bar" (which always evaluates to 0) to generate basic integers and strings. These integers are then used as array indices or to build up ASCII codes, which are dynamically assembled into the final payload using functions like String.fromCharCode. The code uses document.write() to render the malicious content, which leads the user to a phishing site. All of this is done without any useful strings present in the static code, making static analysis and signature-based detection extremely difficult.

Other HTML attachments identified predominantly use a variation of UTF8 characters to heavily obfuscate the file.

 

Indicators of Compromise

Initial Sending IP’s

141.95.71.216
141.95.114.238
139.28.38.90
23.163.0.158
51.89.87.86

Email subjects

New Employee Handbook and Organizational Update
Recognition of Your Work Contributions – Compensation Update
Mandatory Revalidation of Login Credentials
Confirmation: 2025 Year-End Bonus Added to Your Payslip
Action Required: [Company Name] Employee Assessment

Domains

Jmvthr[.]owlrd[.]ru
Eiregirc[.]ru
Mettsoll[.]com
djvzk[.]uekmu[.]es

File Hashes

cc2f055a242eec9ba870fc3040883439666266a018c833b72bb201592ff0c0e4
19279573e2c3b0e6348bb305e3101531eea978037330636942a0be85dccd62c1
988d3069d1241d2784debeb6946c57a8c66221d7fbfbd6228b2b8b3cc4e92a50
092d0be4a754532ad49e202eeba2a7709dad03f3f58cf72205f38efc668ebabd
975b04bb26d5fe627e195bdf46fc4eec7b25b63d7b4ab926b437a04903ec522f
625561c24491e8b68efa34e14c5a332c63c6121a333f700af4ff6801ebe587c8
b810f7e999d5824147535e3974cf349010f78badaa0428c554bb3e5eec56db2f
5b6aa8f966e240f620ad10417ff4804941966f878cc83020391ad786f5360f43
3f52227acb6f97853b491cdaab53630cb21b3337a972efcb05660cd139df2482
c2394537d5e7b3c1c9afc73408b5c6b1c1154650a4a8454b9f4e534c9ddbd092
ca82e7201694b964e0f6702e08f75f98f0732552aefaed6ae8b170689341bfe2
3432411a3bb498e6688d24dc3824b6469242d42d0b8742116479f35a8c05ab5a
f24785156ec9c045e88eed48b2a262996a12e7bc62f50784bba9334172668275
48171e699562fe854418797cd8b8517b3f5eec598fd89e3d20c5a8f346176bf2
d5800e021a88c6e91f1605b892e8aefe1ba21719022417746a64a4acba13e903
cf74d4c1c3e8317c43aacdcda57cb8da032477e24732d0a7987c8bf5aa9ff186
7c11352b17e325a53e3a73e34459fc55b90ceaf2c3cd4dc4421be879c7147391
b96ee4c2bdf566a5740dc100cf1c70896cd2806fac42d46b022d5c52c3a8a52a
df6bc150a77c36beafbfd0c59daa7a8960bb090743b778477e25805195640c0c
0736b07c27ff2ff21175991c2ffae38d75a66bbb57fe4390afb3347e4d6e691a

Recommendations

Mitigation Steps

• Enable “Reject Direct Send” Setting: If your organization does not need Direct Send, disable it. In the Exchange Admin Center, enable the “Reject Direct Send” setting. This will prevent unauthorized use of the Direct Send feature by rejecting emails that attempt to use this method without proper authentication.
• Enable strict DMARC or SPF records
  

Configure M365 with Mimecast

• Follow the Connect Process for Microsoft 365 Mail Lockdown to prevent illegitimate senders being accepted.
• If the organization does use Direct Send, follow these filtering and configuration steps to ensure that only authorized mail is coming through.

Environmental Assessment

Before enabling this feature, organizations should review their environment for devices or applications that rely on unauthenticated SMTP for legitimate business functions. Legacy systems, printers, scanners, and line-of-business applications may require configuration updates to use authenticated sending methods.