An ongoing phishing campaign abuses a little‑known feature in Microsoft 365 called "Direct Send" to evade detection by email security and steal credentials.

Direct Send is a Microsoft 365 feature that allows on‑premises devices, applications, or cloud services to send emails through a tenant's smart host as if they originated from the organization's domain. It’s designed for use by printers, scanners, and other devices that need to send messages on behalf of the company.

However, the feature is a known security risk, as it doesn't require any authentication, allowing remote users to send internal‑looking emails from the company's domain.

Microsoft recommends that only advanced customers utilize the feature, as its safety depends on whether Microsoft 365 is configured correctly and the smart host is properly locked down..

"We recommend Direct Send only for advanced customers willing to take on the responsibilities of email server admins," explains Microsoft.

"You need to be familiar with setting up and following best practices for sending email over the internet. When correctly configured and managed, Direct Send is a secure and viable option. But customers run the risk of misconfiguration that disrupts mail flow or threatens the security of their communication."

The company has shared ways to disable the feature, which are explained later in the article, and says they are working on a way to deprecate the feature.

The Microsoft 365 Admin Portal is being abused to send sextortion emails, making the emails appear trustworthy and bypassing email security platforms.

Over the past few days, we have seen phishing attacks that use a combination of compromised Microsoft 365 accounts and .rpmsg encrypted emails to deliver the phishing message.