An ongoing phishing campaign abuses a little‑known feature in Microsoft 365 called "Direct Send" to evade detection by email security and steal credentials.
Direct Send is a Microsoft 365 feature that allows on‑premises devices, applications, or cloud services to send emails through a tenant's smart host as if they originated from the organization's domain. It’s designed for use by printers, scanners, and other devices that need to send messages on behalf of the company.
However, the feature is a known security risk, as it doesn't require any authentication, allowing remote users to send internal‑looking emails from the company's domain.
Microsoft recommends that only advanced customers utilize the feature, as its safety depends on whether Microsoft 365 is configured correctly and the smart host is properly locked down..
"We recommend Direct Send only for advanced customers willing to take on the responsibilities of email server admins," explains Microsoft.
"You need to be familiar with setting up and following best practices for sending email over the internet. When correctly configured and managed, Direct Send is a secure and viable option. But customers run the risk of misconfiguration that disrupts mail flow or threatens the security of their communication."
The company has shared ways to disable the feature, which are explained later in the article, and says they are working on a way to deprecate the feature.
Cisco has released patches to address three vulnerabilities with public exploit code in its Identity Services Engine (ISE) and Customer Collaboration Platform (CCP) solutions.
The most severe of the three is a critical static credential vulnerability tracked as CVE-2025-20286, found by GMO Cybersecurity's Kentaro Kawane in Cisco ISE. This identity-based policy enforcement software provides endpoint access control and network device administration in enterprise environments.
The vulnerability is due to improperly generated credentials when deploying Cisco ISE on cloud platforms, resulting in shared credentials across different deployments.
Unauthenticated attackers can exploit it by extracting user credentials from Cisco ISE cloud deployments and using them to access installations in other cloud environments. However, as Cisco explained, threat actors can exploit this flaw successfully only if the Primary Administration node is deployed in the cloud.
"A vulnerability in Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI) cloud deployments of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to access sensitive data, execute limited administrative operations, modify system configurations, or disrupt services within the impacted systems," the company explained.
Learn how JFrog detected a malicious package that steals MEXC credentials and crypto trading tokens to buy and sell futures on crypto trading platforms.
Cisco warned customers today of a vulnerability in Webex for BroadWorks that could let unauthenticated attackers access credentials remotely.
Discover how Dropbox was exploited in a sophisticated phishing attack that leveraged AiTM tactics to steal credentials during the open enrollment period.
In C:\Users\username\AppData\Local\Palo Alto Networks\GlobalProtect there was a file called panGPA.log that contained something interesting:
Organizations that get relieved of credentials to their cloud environments can quickly find themselves part of a disturbing new trend: Cybercriminals using stolen cloud credentials to operate and resell sexualized AI-powered chat services. Researchers say these illicit chat bots, which…
A handful cryptographers were asked for feedback on the architecture of the European Identity Wallet (the Architecture Reference Framwork (ARF), currently at version 1.4.0). We seized the opportunity to write a short report to urge Europe to reconsider the design, and to base it on the use of anonymous (aka attribute-based) credentials.
Anonymous credentials were designed specifically to achieve authentication and identification that are both secure and privacy-preserving. As a result, they fully meet the requirements put forth in the eiDAS 2.0 regulation. (The current design does not.) Moreover, they are by now a mature technology. In particular we recommend to use the BBS family of anonymous credentials, which are efficient and mathematically proven secure.
Cybercriminals are abusing Docusign by selling customizable phishing templates on cybercrime forums, allowing attackers to steal credentials for phishing…
Resecurity identified bad actors offering a significant number of AnyDesk customer credentials for sale on the Dark Web.
Following a recent and highly disruptive cyberattack on telecom carrier Orange España the cybersecurity community needs to rethink its approach to safeguarding the digital identity of staff involved in network engineering and IT infrastructure management. Orange España is the second-largest mobile operator in Spain. In early January, an attacker going by the alias ‘Snow’ hijacked Orange España’s RIPE Network Coordination Centre (NCC) account. RIPE is Europe’s regional Internet registry. After this initial breach, Snow sabotaged the telecommunications firm’s border gateway protocol (BGP) and resource public key infrastructure (RPKI) configurations.
Security Researcher Tom Forbes worked with the GitGuardian team to analyze all the code committed to PyPi packages and surfaced thousands of hardcoded credentials.
Netskope Threat Labs is tracking a campaign that uses malicious Python scripts to steal Facebook users’ credentials and browser data. This campaign targets Facebook business accounts with bogus Facebook messages with a malicious file attached. The attacks are reaching victims mainly in Southern Europe and North America across different segments, led by the manufacturing services and technology sectors.
After analyzing millions of computers infected with info-stealing malware, researchers at Hudson Rock said they identified 120,000 that contained credentials used for logging into cybercrime forums.
Such credentials in the wrong hands could be dangerous, experts say, potentially allowing physical access to data centers. The affected data center operators say the stolen information didn’t pose risks for customer IT systems.
VirusTotal can be used to collect large amounts of credentials without infecting an organization or buying them online, researchers found.
In August 2022, the Vectra Protect team identified an attack path that enables malicious actors with file system access to steal credentials for any Microsoft Teams user who is signed in.
Cross-Site Scripting (XSS) is a well-known vulnerability that has been around for a long time and can be used to steal sessions, create fake logins and carry out actions as someone else, etc.
In addition, many users are unaware of the potential dangers associated with their browser’s credential autofill feature. This attack vector is not new, but it is unknown to many people and as we investigated further we found that the dangers were extensive. In this post, the GoSecure Titan Labs team will demonstrate that using a browser password manager with autofill could expose your credentials in a web application vulnerable to XSS.
We discovered flaws in Zimbra, an enterprise email solution, that allow attackers to steal credentials of users and gain access to their email accounts.
