Microsoft 365 Direct Send Abuse: Why Internal-Looking Phishing Reaches Small Businesses

Microsoft 365 Direct Send Abuse: Why Internal-Looking Phishing Reaches Small Businesses
Many small businesses train employees to watch for strange sender addresses, misspelled domains, and messages that come from outside the company.
That advice still matters. But some Microsoft 365 phishing threats are harder to spot because the message can appear to come from an internal address.
One example is abuse of Microsoft 365 Direct Send and related mail-routing misconfigurations. Direct Send is a legitimate Exchange Online mail-flow method that can allow devices, applications, or services to send email directly to internal Microsoft 365 recipients without normal user authentication. It is often used for printers, scanners, alerts, line-of-business applications, and internal notifications.
In the wrong configuration, that convenience can become a security problem. Attackers may send messages that look like they came from HR, accounting, IT, a manager, or a shared mailbox. The email may ask the employee to open a document, approve a payment change, scan a QR code, enter Microsoft 365 credentials, or download a file.
For a small business, the risk is not just one suspicious email. It is misplaced trust. If employees believe a message is internal, they are more likely to act quickly.
Why This Topic Is Timely
Microsoft introduced more control over Direct Send in Exchange Online in 2025 through a tenant-level setting called RejectDirectSend. Security vendors and Microsoft-focused administrators continued warning about Direct Send abuse and gateway-bypass risk into 2026, especially where Microsoft 365 mail flow, third-party filtering, connectors, SPF, DKIM, DMARC, and spoof protections are not reviewed together.
Microsoft also reported in January 2026 that phishing actors were exploiting complex routing and misconfigured spoof protections to spoof domains. Microsoft noted that some campaigns used phishing-as-a-service platforms such as Tycoon2FA and included fake invoices, voicemail themes, password reset lures, HR communications, and adversary-in-the-middle techniques designed to bypass MFA.
The keyword cluster behind this post is practical and buyer-relevant: Microsoft 365 Direct Send abuse, Reject Direct Send Exchange Online, internal email spoofing, Microsoft 365 gateway bypass, SPF DKIM DMARC Microsoft 365, business email compromise, and email security for small business.
This is not a vanity topic. It connects to the business outcomes small and midsize businesses care about: fewer phishing emails in user inboxes, better protection against invoice fraud, cleaner Microsoft 365 configuration, stronger email authentication, and more confidence that internal-looking messages are actually trustworthy.
What Direct Send Is Supposed to Do
Direct Send exists because businesses still have systems that need to send email.
Common examples include:
- Multifunction printers that scan documents to email
- Building, camera, backup, or monitoring alerts
- Line-of-business applications that send internal notices
- Reporting tools that email status updates
- Legacy systems that cannot easily use modern authentication
- Third-party hosted applications that send messages as the company domain
Microsoft documents Direct Send as one of several ways devices and applications can send mail through Microsoft 365. Other methods include authenticated SMTP submission, SMTP relay through a connector, and High Volume Email for Microsoft 365.
The important difference is authentication. Direct Send is intended for sending unauthenticated email directly to internal recipients in the organization's Microsoft 365 tenant. That can be useful, but it also means businesses should not treat it as a set-and-forget convenience.
If nobody knows which devices or services use Direct Send, the business may not know what will break if it is blocked. If Direct Send remains open without review, the business may leave an unnecessary path for spoofed internal-looking messages.
Why Internal-Looking Phishing Works
People make decisions based on context.
An employee may hesitate when an email comes from a strange external address. The same employee may react faster when the message appears to come from:
hr@yourcompany.comit@yourcompany.comaccounting@yourcompany.com- a department manager
- a shared mailbox
- an executive display name
- a scanner or automated notification address
Attackers understand that trust pattern. A spoofed internal email can make a request feel routine: reset your password, review a payroll change, open a scanned file, approve an invoice, confirm a vendor update, or sign into Microsoft 365.
This is especially dangerous for small businesses because employees often know each other and move quickly. A finance user may not question an urgent message that appears to come from leadership. A receptionist may open a scanned document because scanning to email is normal. A manager may approve a file-sharing request because the sender looks familiar.
The attacker is not only exploiting technology. They are exploiting the way the business works.
Where the Risk Usually Comes From
Direct Send abuse and internal spoofing risk usually come from several overlapping problems, not one isolated setting.
1. Direct Send Is Allowed Even Though It Is Not Needed
Some Microsoft 365 tenants allow Direct Send by default or never revisit whether it is still required.
That may be reasonable if the business depends on specific devices or systems that send internal mail this way. It is not reasonable if nobody can name those systems, identify their source IPs, or explain why a safer method is not being used.
If the business does not need Direct Send, blocking it can remove a path attackers may try to abuse.
2. Legacy Printers and Applications Are Poorly Inventoried
Many SMBs have years of accumulated email senders:
- old scanners
- phone systems
- security tools
- billing software
- ERP or CRM alerts
- website forms
- backup reports
- cloud applications
- vendor platforms
Some were configured by a former employee or vendor. Some use outdated authentication. Some send from the company domain without clean ownership. Some are still in DNS or SPF records even though the business no longer uses them.
Email security improves when those senders are inventoried and assigned an owner.
3. Connectors and Third-Party Gateways Are Misconfigured
Many businesses use a third-party email gateway, security filter, or archiving service in front of Microsoft 365.
That can be a strong design when configured correctly. It can also create a gap if Exchange Online accepts mail directly from the internet or if connectors trust too much traffic. Microsoft has specifically called out complex routing and misconfigured spoof protections as conditions attackers can exploit.
The business should know whether inbound mail is forced through the intended filtering path, whether Enhanced Filtering for Connectors is configured when appropriate, and whether Exchange Online is accidentally accepting messages that bypass the security gateway.
4. SPF, DKIM, and DMARC Are Missing or Weak
Email authentication is not perfect, but it is foundational.
SPF identifies which systems are allowed to send mail for a domain. DKIM signs messages so recipients can validate that the message was authorized and not altered. DMARC helps align the visible From domain with SPF or DKIM results and gives the domain owner a way to monitor and enforce policy.
Microsoft describes SPF, DKIM, and DMARC as interdependent building blocks. Anything less than all of them provides weaker protection against spoofing and phishing.
Small businesses often have partial email authentication. For example, SPF may include Microsoft 365 but omit a marketing platform. DKIM may never have been enabled for the custom domain. DMARC may be missing, stuck at monitoring-only, or ignored because no one reviews reports.
That leaves room for spoofing, delivery failures, and inconsistent trust signals.
5. Anti-Phishing Policies Are Present but Not Tuned
Microsoft 365 includes baseline anti-phishing and anti-spoofing protections for cloud mailboxes, and Microsoft Defender for Office 365 adds more advanced impersonation, domain, and sender protection.
The licensing matters, but configuration matters too.
Common gaps include:
- no custom impersonation protection for executives or finance users
- weak domain impersonation settings
- overused allow lists
- no review of spoof intelligence
- Safe Links or Safe Attachments not enabled where licensed
- user reporting not configured or not monitored
- no process for reviewing false positives and missed phish
Buying security tools is not the same as operating them.
Warning Signs Employees Should Recognize
Employees do not need to understand mail flow to catch suspicious behavior.
They need simple, practical rules.
Treat an internal-looking email as suspicious when it:
- asks for a password, MFA approval, device code, or QR-code login
- claims to be a scanned document, voicemail, payroll notice, invoice, or HR alert you were not expecting
- asks for urgent payment, banking, vendor, or gift-card action
- includes a link to review a Microsoft 365 file but the workflow feels unusual
- uses an internal display name but the tone, timing, or request feels wrong
- pressures the user to bypass normal approval steps
- comes from a scanner, shared mailbox, or automated address but asks for sensitive action
A useful rule is this: internal-looking email still has to make business sense. If a request involves money, credentials, customer data, HR records, or access changes, verify it through a known trusted channel.
What Small Businesses Should Review
A practical Microsoft 365 email security review does not start with panic. It starts with visibility.
1. Inventory Devices and Applications That Send Email
List every system that sends mail as the business domain.
Include printers, scanners, websites, CRM tools, billing systems, monitoring tools, backup tools, ticketing platforms, marketing platforms, and vendor systems.
For each sender, record:
- owner
- business purpose
- sender address
- source IP or service
- authentication method
- destination recipients
- whether it sends internal only or external too
- whether it is still needed
This inventory is the foundation for SPF cleanup, connector review, Direct Send decisions, and incident response.
2. Check Whether Direct Send Is Needed
Microsoft added a tenant-level RejectDirectSend setting so organizations can reject unauthenticated Direct Send messages from their own accepted domains to their own mailboxes.
Before enabling it broadly, review legitimate usage. Printers, applications, and notification tools may need changes. In some environments, SMTP relay, High Volume Email for Microsoft 365, Azure Communication Services Email, or another authenticated approach may be a better fit.
The goal is not to break useful business systems. The goal is to remove unauthenticated sending paths that the business does not actually need.
3. Review Mail Flow and Gateway Bypass
If the business uses a third-party email security gateway, confirm that inbound mail cannot casually bypass it by sending directly to Microsoft 365.
Review:
- MX records
- Exchange Online connectors
- Enhanced Filtering for Connectors
- accepted domains
- transport rules
- allow lists
- third-party gateway configuration
- message headers from suspicious internal-looking mail
Gateway bypass risk is easy to underestimate because the normal mail path may look fine during everyday use. The question is whether an attacker can reach the tenant through a different path.
4. Fix SPF, DKIM, and DMARC as a System
Do not treat SPF, DKIM, and DMARC as one-time DNS chores.
Review every sender. Remove old SPF includes. Enable DKIM for Microsoft 365 custom domains. Make sure third-party senders are aligned. Publish DMARC in monitoring mode if needed, review reports, fix legitimate senders, then move toward stronger enforcement when the domain is ready.
For many SMBs, this is where hidden sprawl appears. Old vendors, abandoned tools, and undocumented sending services often show up during email authentication cleanup.
5. Tune Microsoft Defender for Office 365 Policies
Review anti-phishing, anti-spoofing, Safe Links, Safe Attachments, quarantine, user reporting, and Zero-hour auto purge settings where the tenant's licensing supports them.
High-risk people and mailboxes deserve special attention:
- owners
- executives
- finance
- HR
- IT administrators
- shared accounting mailboxes
- public-facing mailboxes
- employees who approve vendor or banking changes
The business should also review exceptions. Broad allow lists can turn a good email security stack into a suggestion.
6. Monitor for Mailbox Rules and Account Compromise
Internal spoofing and Direct Send abuse can be part of a larger business email compromise chain.
Watch for:
- new inbox rules that hide or forward mail
- suspicious external forwarding
- unusual sent mail
- failed and successful sign-ins from unfamiliar locations
- new MFA methods
- OAuth app consent grants
- finance, HR, or executive mailbox activity outside normal patterns
- messages sent from shared mailboxes without a clear owner
If an account is compromised, attackers may use that mailbox to send more believable internal messages. Direct Send is one risk. Real account compromise is another. The review should cover both.
Business Process Controls Reduce the Damage
Technical controls make phishing harder. Business controls make fraud harder.
Every small business should have a written rule for payment and vendor changes: never approve new banking details, wire instructions, ACH changes, gift-card purchases, payroll updates, or urgent invoice changes based only on email.
Use a second channel that is already trusted, such as a known phone number on file. Do not use the phone number or link provided in the suspicious email thread.
The same idea applies to account changes. Employees should not reset MFA, approve app permissions, enter device codes, scan QR login codes, or change recovery information because an email tells them to.
Good process gives employees permission to slow down suspicious requests, even when the email appears internal.
A Simple Microsoft 365 Direct Send and Spoofing Checklist
Use this checklist as a starting point:
- Do we know whether Direct Send is used in our tenant?
- Have we reviewed whether
RejectDirectSendshould be enabled? - Do we have an inventory of devices and applications that send email as our domain?
- Are old senders removed from SPF and vendor records?
- Is DKIM enabled for Microsoft 365 custom domains?
- Is DMARC published, monitored, and moving toward enforcement when ready?
- Can inbound mail bypass our third-party email security gateway?
- Are Exchange Online connectors scoped and documented?
- Are anti-phishing and anti-spoofing policies tuned for executives, finance, HR, and key domains?
- Are broad allow lists reviewed and minimized?
- Do employees know that internal-looking email can still be suspicious?
- Do payment and vendor changes require out-of-band verification?
If several answers are "not sure," that is a meaningful risk. It is also a manageable one. Most improvements start with inventory, cleanup, and a few careful configuration decisions.
How CybarWorks Can Help
CybarWorks helps small and midsize businesses make Microsoft 365 email security practical, measurable, and manageable.
That includes reviewing Exchange Online mail flow, Direct Send exposure, SPF, DKIM, DMARC, Defender for Office 365 policies, connector configuration, gateway bypass risk, mailbox forwarding, inbox rules, account compromise indicators, and business process controls around payments and sensitive requests.
If your business is not sure whether Microsoft 365 could accept internal-looking spoofed messages, CybarWorks can help turn that uncertainty into a clear action plan. We can identify the highest-risk gaps, prioritize fixes, protect productivity, and build an email security process that does not depend on guesswork.
To review your Microsoft 365 email security posture, contact CybarWorks.
Works Cited
- Microsoft Exchange Team Blog, Introducing more control over Direct Send in Exchange Online
- Microsoft Learn, How to set up a multifunction device or application to send email using Microsoft 365 or Office 365
- Microsoft Security Blog, Phishing actors exploit complex routing and misconfigurations to spoof domains
- Microsoft Learn, Email authentication in Microsoft Defender for Office 365
- Microsoft Learn, Anti-phishing policies in Microsoft 365
- Barracuda Trust Center, Microsoft 365 Direct Send Attacks


