Overview
Proofpoint identified an active phishing campaign exploiting Microsoft 365 Direct Send, which delivered spoofed messages that appeared as internal emails.
The threat actor used unsecured third-party email security appliances as an SMTP relay and VPS assets for message injection. In many cases, Microsoft marked the messages as spoof attempts based on composite authentication failures. Unfortunately, the messages were still delivered to users’ junk folders, allowing the payloads to reach end users.
Direct Send is a feature in Microsoft 365 that allows devices and apps to relay messages to Microsoft tenants without authentication if the recipients are inside the organization. It is intended for multi-function printers and legacy applications. However, it can be misused to deliver unauthenticated messages that appear as internal emails. Put simply, this allows an external attacker to send emails that appear to come from within the organization without needing a valid account or password.
We have observed evidence in recent email security proof of concepts where threat actors are exploiting this feature to inject spoofed phishing emails that bypass sender verification controls. This tactic allows attackers to send malicious payloads to Microsoft 365 users with increased credibility, often resulting in successful delivery despite failed authentication checks.
Recommended Actions for Microsoft 365 customers
Here are some tips for protecting your organization:
- Audit mail flow rules for accepted unauthenticated relay IPs; monitor message headers for spoofing attempts that are flagged by Microsoft with compauth=fail
Lock Down Rule Method
To access our documentation, in your management UI navigate to the top right '?' icon, hover/click over to 'help documentation.' This will allow you to gain access to the updated documentation at https://help.proofpoint.com/Proofpoint_Essentials, Then search for: the title of the KB or once at search, open new tab and paste URL again, should open.
Add a mail flow rule to allow email to be sent ONLY from Proofpoint Essentials IPs
- While accessing the Exchange Admin Center, click mail flow then rules.
- Click + icon to access the pull down menu.
- Select Restrict messages by sender or recipient…
- In the new rule window, complete the required fields:
Enter a value for Name (e.g.“Enter Only accept mail from Proofpoint”)
For “Apply this rule if…” select “The Sender is located…” and “Outside the organization”. (external/internal)
For "Do the following..." select "Reject the Message with the Explanation..." Then enter text "Unauthorized IP" and click OK. - For "Except if" select the sender, Select “the sender IP address is in any of these ranges or exactly matches”.
- Uncheck Audit this rule with severity level.
For “Choose a mode for this rule” select “Enforce”.
We strongly recommend you also another exception for calendar forwards after the "except if sender IP address is in the range" ... there's a bug with O365 where calendar forwards are seen as external instead of internal emails.
- Click on add another exception
- Chose "Message header ."
- Click on "Matches these text patterns" .
- Click on "Enter text " then paste the following "X-MS-Exchange-MeetingForward-Message"
- Click on "These text patterns" enter the word "Forward"
- Click on SAVE.
- Click OK.
- Click Save.
Rule created with necessary exceptions.
Get the IPs from:
Pay attention to if you are US or EU.
Carlos Rios
Comments