Security Alert: Direct Send Email Spoofing in Exchange Online

Security Alert: Direct Send Email Spoofing in Exchange Online

Vulnerability detected for Exchange Online Direct Send feature

During recent research done in May 2025 by Varonis Threat Labs, it has been detected that Microsoft 365’s Direct Send feature—intended for internal use by devices like printers and scanners—has recently been weaponized by threat actors in a wave of stealthy phishing attacks.

What you need to know

  1. Impacted software: The vulnerability affects Exchange Online Direct Send feature, that allows for emails to be sent without tenant authentication, intended for internal use. 
  2. The threat: Since no authentication is required, attackers are taking advantage by identifying vulnerable organizations and taking note of their public records so they can send spoofed emails that appear to originate from inside the organization. 
  3. Who is affected: Organizations set up to use Direct Send feature in Exchange Online. 
  4. Coordination: Microsoft is working on an option to disable Direct Send by default to protect customers. 
  1. Enable “Reject Direct Send” in the Exchange Admin Center. 
  2. Implement a strict DMARC policy (e.g., p=reject). 
  3. Flag unauthenticated internal emails for review or quarantine. 
  4. Enforcing “SPF hardfail” within Exchange Online Protection (EOP). 
  5. Use Anti-Spoofing policies. 
  6. Educate users on the risks associated with QR code attachments (Quishing attacks). 
  7. It’s always recommended to enforce MFA on all users and have Conditional Access Policies in place, in case a user’s credentials are stolen. 
  8. Enforce a static IP address in the SPF record to prevent unwanted send abuse — this is recommended by Microsoft but not required 
We understand the urgency of this situation and recommend that all affected customers prioritize these security measures. If you have any questions or require assistance, please contact Team Venti support at support@teamventi.com 

    • Related Articles

    • URGENT SECURITY ALERT: SharePoint Server

      Vulnerability Under Active Attack – 07/21/2025 Microsoft has issued a critical alert regarding active attacks targeting on-premises SharePoint Server software. These attacks exploit a newly discovered "zero-day" vulnerability, meaning it was ...

    • Use the Exchange Admin Center to set up email forwarding

      In the Exchange Admin Center, navigate to Recipients > Mailboxes. In the list of user mailboxes, click or tap the mailbox that you want to set up mail forwarding for, and then click or tap Edit. On the mailbox properties page, click Mailbox Features. ...

    • How to Connect to Exchange Online PowerShell using MFA

      If you are trying to connect to a Tenant as an admin using Multi-facto authentication this post is for you. 1. Go to the Exchange Admin Center 2. Go to Hybrid and then click on Configure to download the powershell module. 3. Run and Install the ...

    • Add additional email aliases to a user

      Your primary email address in Office 365 is usually the email address you were assigned when your Office 365 work or school account was created. The primary email address could also have been changed by you or an admin at your organization. When you ...

    • Add users to a SharePoint Online Site

      Adding members to a Sharepoint site is necessary so they can have access to that site and its information. Upon creating a new user and assigning a Sharepoint license, the user will be able to access Sharepoint, but will only see public sites. See ...