An ongoing phishing campaign abuses a little‑known feature in Microsoft 365 called "Direct Send" to evade detection by email security and steal credentials.
Direct Send is a Microsoft 365 feature that allows on‑premises devices, applications, or cloud services to send emails through a tenant's smart host as if they originated from the organization's domain. It’s designed for use by printers, scanners, and other devices that need to send messages on behalf of the company.
However, the feature is a known security risk, as it doesn't require any authentication, allowing remote users to send internal‑looking emails from the company's domain.
Microsoft recommends that only advanced customers utilize the feature, as its safety depends on whether Microsoft 365 is configured correctly and the smart host is properly locked down..
"We recommend Direct Send only for advanced customers willing to take on the responsibilities of email server admins," explains Microsoft.
"You need to be familiar with setting up and following best practices for sending email over the internet. When correctly configured and managed, Direct Send is a secure and viable option. But customers run the risk of misconfiguration that disrupts mail flow or threatens the security of their communication."
The company has shared ways to disable the feature, which are explained later in the article, and says they are working on a way to deprecate the feature.
Hackers have tried to break into the email accounts of a select number of Washington Post journalists, according to an internal Washington Post memo obtained by CNN.
The Post discovered the “possible targeted” hack of its email system last Thursday, prompting the newspaper to reset login credentials for all its employees on Friday, Washington Post Executive Editor Matt Murray said in a memo Sunday to employees.
“Although our investigation is ongoing, we believe the incident affected a limited number of Post journalists accounts, and we have contacted those whose accounts have been impacted,” Murray said.
“We do not believe this unauthorized intrusion impacted any additional Post systems or has had any impact for our customers,” he added.
It was not immediately clear who was responsible for the hack. Journalists are regular targets for both state-backed spies, who are interested in tracking their reporting before it becomes public, and cybercriminals, who are interested in extorting news organizations.
A spokesperson for The Post declined to comment when asked who might be responsible for the hack.
The International Criminal Court ’s chief prosecutor has lost access to his email, and his bank accounts have been frozen.
The Hague-based court’s American staffers have been told that if they travel to the U.S. they risk arrest.
Some nongovernmental organizations have stopped working with the ICC and the leaders of one won’t even reply to emails from court officials.
Those are just some of the hurdles facing court staff since U.S. President Donald Trump in February slapped sanctions on its chief prosecutor, Karim Khan, according to interviews with current and former ICC officials, international lawyers and human rights advocates.
The sanctions will “prevent victims from getting access to justice,” said Liz Evenson, international justice director at Human Rights Watch.
Trump sanctioned the court after a panel of ICC judges in November issued arrest warrants for Israeli Prime Minister Benjamin Netanyahu and his former defense minister, Yoav Gallant.
Judges found there was reason to believe that the pair may have committed war crimes by restricting humanitarian aid and intentionally targeting civilians in Israel’s campaign against Hamas in Gaza — charges Israeli officials deny.
One reason the the court has been hamstrung is that it relies heavily on contractors and non-governmental organizations. Those businesses and groups have curtailed work on behalf of the court because they were concerned about being targeted by U.S. authorities, according to current and former ICC staffers.
Microsoft, for example, cancelled Khan’s email address, forcing the prosecutor to move to Proton Mail, a Swiss email provider, ICC staffers said. His bank accounts in his home country of the U.K. have been blocked.
Microsoft did not respond to a request for comment.
Staffers at an NGO that plays an integral role in the court’s efforts to gather evidence and find witnesses said the group has transferred money out of U.S. bank accounts because they fear it might be seized by the Trump administration.
The Office of the Comptroller of the Currency (OCC) today notified Congress of a major information security incident, as required by the Federal Information Security Modernization Act.
This finding is the result of internal and independent third-party reviews of OCC emails and email attachments that were subject to unauthorized access. On February 11, 2025, the OCC learned of unusual interactions between a system administrative account in its office automation environment and OCC user mailboxes. On February 12, the OCC confirmed the activity was unauthorized and immediately activated its incident response protocols which include initiating an independent third-party incident assessment and reporting the incident to the Cybersecurity and Infrastructure Security Agency. On February 12, the OCC disabled the compromised administrative accounts and confirmed that the unauthorized access had been terminated. The OCC provided public notice of the incident on February 26.
Unbekannte sind in das Mailkonto von Säckelmeister Ruedi Eberle eingedrungen. Dank des Sicherheitssystems konnte eine Weiterverbreitung rasch unterbunden werden. Nach aktuellem Stand sind weder Daten verloren gegangen noch weitere Konten der kantonalen Verwaltung betroffen.
A hacker claims to have stolen thousands of internal documents with user records and employee data after breaching the systems of Orange Group, a leading French telecommunications operator and digital service provider.
#Breach #Computer #Data #Email #Extortion #InfoSec #Jira #Leak #Orange #Ransom #S.A. #Security
The Microsoft 365 Admin Portal is being abused to send sextortion emails, making the emails appear trustworthy and bypassing email security platforms.
Threat actors have been exploiting a vulnerability in the Roundcube Webmail client to target government organizations in the Commonwealth of Independent States (CIS) region, the successor of the former Soviet Union.
1 bug, $50,000+ in bounties, how Zendesk intentionally left a backdoor in hundreds of Fortune 500 companies - zendesk.md
Many spammers have elected to attack web pages and mail servers of legitimate organizations, so they may use these “pirated” resources to send unsolicited email.
Censys warns that over 1.5 million Exim mail transfer agent (MTA) instances are unpatched against a critical vulnerability that lets threat actors bypass security filters.
A researcher has found a way to impersonate Microsoft corporate email accounts, which could make phishing attacks harder to spot.
Last week, a security researcher sent me 122GB of data scraped out of thousands of Telegram channels. It contained 1.7k files with 2B lines and 361M unique email addresses of which 151M had never been seen in HIBP before. Alongside those addresses were passwords and, in many cases, the website the data pertains to. I've loaded it into Have I Been Pwned (HIBP) today because there's a huge amount of previously unseen email addresses and based on all the checks I've done, it's legitimate data. That's the high-level overview, now here are the details:
There are two types of malicious documents that are distributed via email recently: those exploiting equation editor and those including external link URLs. This post will describe the infection flow of the DanaBot malware that is distributed through documents containing external links, the latter method, as well as the evidence and detection process with the AhnLab EDR product’s diagram. Figure 1 shows the content of a spam email with a Word document attached that contains an external link. As you can see, it is a sophisticatedly disguised email pretending to be a job application form to deceive the recipient. The attached file (.docx) is a Word document that contains an external link.
CISA publicly released an emergency directive issued to federal agencies earlier this month, detailing how a breach at Microsoft could have affected the government.
Anyone who has had to deal with HTML emails on a technical level has probably reached the point where they wanted to quit their job or just set fire to all the mail clients due to their inconsistent implementations. But HTML emails are not just a source of frustration, they can also be a serious security risk.
Microsoft needs a security culture overhaul, a US report concludes. The software giant could have prevented a cloud email hack in 2023.
NCSC says generative AI tools will soon allow amateur cybercriminals to launch sophisticated phishing attacks
Senior execs' emails accessed in network breach that wasn't caught for 2 months.
Beware of phishing emails with invoice-themed attachments! Attackers are using an old Office vulnerability (CVE-2017-11882) to spread the Agent Tesla
