How Threat Actors Are Outsmarting Your Email Defenses

You’re about to log out for the day when one last email hits your inbox. Taking a quick peek, you immediately recognize the sender. Because it’s from you. 

The subject line states that you have a new voicemail.  

Inside the email, you find a PDF attachment containing a QR code, which funnels you to a Microsoft 365 login page to access the voicemail message. The email seemingly originated from within your organization (from your account!), there are no obvious spoofed URLs, and it appears to be a standard automated notification. Upon first glance, you might not notice any glaring red flags.

But, had you entered your credentials on the spoofed login page, you would have given your information away to threat actors. Coalition Incident Response (CIR) has seen an uptick in cyber incidents similar to the one detailed above — all possible not because of account compromise, but because of Direct Send, a completely legitimate feature within Microsoft 365.

What is Direct Send and how do threat actors abuse it?

Direct Send allows internal devices, like network-connected scanners, printers, and applications, to send emails without requiring authentication methods. 

When working as intended, Direct Send helps function as an email server between the device or application (like your document scanner) and your inbox. For example, you can then directly send a copy of something you scanned to your email as an attachment. 

Direct Send emails often bypass spam and phishing filters because devices and applications within the same tenant (a secure space within the cloud) accept these messages by default. While convenient for business purposes, the ease of use also opens the door for threat actors to exploit the Direct Send feature with little technological savvy. 

All it takes is correctly guessing or social engineering a valid email address at your company, using the “company.mail.protection.outlook.com” infrastructure. 

Unlike account compromise, Direct Send abuse doesn’t involve a single login attempt or access to your organization’s environment.

Threat actors can then leverage any scripting language or prebuilt emailing tool to route emails directly to the target recipient’s inbox. Via Direct Send, these emails function essentially as internal traffic, which means they aren’t flagged as suspicious through most DMARC and SPF policies, despite often coming from foreign IP addresses.

Unlike account compromise, Direct Send abuse doesn’t involve a single login attempt or access to your organization’s environment. And, according to email logs, the message looks like it was sent from the impersonated user. 

Testing our sense of security 

A fundamental component of a successful social engineering campaign is abusing a target’s trust. Often, it’s impersonating someone like a CEO or colleague in an attempt to override our suspicion. But now, threat actors are exploiting the faith employees have in internal infrastructure, too. 

If a message comes from a spoofed email address that is indistinguishable from a real one, how can your organization or your technology defenses determine its legitimacy? Both Microsoft's filtering mechanisms and third-party email security solutions default to trust that the messages are internal and therefore benign, suggesting a dangerous evolution in social engineering via Direct Send:

• No mismatched domains: Traditionally, threat actors mimic an organization’s email infrastructure as closely as possible, but without actual compromise, it was never perfect. But with Direct Send, fraudsters don’t need to resort to decoys like “C0alition” — they can spoof the desired email address as it is. 

• Not flagged by legacy solutions: Secure email gateways (SEGs) inspect outbound messages before they reach the email tenant. But messages sent via Direct Send are delivered within the Microsoft 365 environment, often circumventing SEGs and Microsoft Defender entirely.

• No indicators of compromise: Unlike a business email compromise event, the abuse of Direct Send allows attackers to perfectly spoof an internal email address without any clear indicators of compromise, leaving the burden of flagging suspicious activity to employees, not endpoint security solutions. 

To complicate matters further, if an employee receives a suspicious email from themselves or a trusted colleague, they may (understandably) presume that the company’s email system has been breached. 

This could be detrimental to small and midsize businesses (SMBs) that lack in-house IT or security teams to investigate further, resulting in unnecessary widespread password resets or lockdown procedures. In the case of Direct Send, both could lead to unnecessary security fatigue and decreased productivity.

How to protect your organization 

Disable Direct Send (or update settings)

If your organization does not rely on Direct Send for regular operations, you can disable this feature to prevent unauthorized senders from spoofing internal emails through this method. 

Many organizations have printers, scanners, and internal applications that require the Direct Send feature. You can configure a connector that restricts email sending to specific, known IP addresses that you trust. This adds a layer of security by ensuring only emails from these known sources are accepted.

Implement security awareness training

Employee awareness and a security-first mindset are crucial for combating advanced phishing campaigns. Even if some tell-tale signs of fraudulent behavior are missing, employees should still know to be wary of any urgent or unexpected messages and feel comfortable reporting suspicious behavior.

Integrate your Microsoft 365 account in Coalition Control®

Is your Microsoft tenant configured as securely as it could be? By integrating Microsoft 365 with Control, our cyber risk management platform, you can access endpoint security settings and discover potential weaknesses in your current Microsoft 365 configurations — all based on recommendations from Coalition security experts. 

SPOT AND STOP CYBER THREATS. CONTROL YOUR RISK.

Meet the Action-Oriented Cyber Risk Platform

Get Started with Control Today >

This blog post is designed to provide general information on the topic presented and is not intended to construe or render legal or other professional services of any kind. The views and opinions expressed as part of this blog post do not necessarily state or reflect those of Coalition. The reader is cautioned to consult independent professional advisers and formulate independent conclusions and opinions regarding the subject matter discussed herein. Coalition is not responsible for the accuracy or completeness of the contents herein and expressly disclaims any responsibility or liability based on any legal theory or in any form or amount, based upon, arising from or in connection with, for the reader’s application of any of the contents herein to any analysis or other matter, nor do the contents herein guarantee and should not be construed to guarantee any particular results or outcome. Any action you take upon the information contained herein is strictly at your own risk. Coalition and its affiliates will not be liable for any losses and damages in connection with our use or reliance upon the information. The blog post may include links to other third-party websites. These links are provided as a convenience only.

Coalition Incident Response, Inc. dba Coalition Security, an affiliate of Coalition Inc., provides security products and services globally, including Coalition Control. Coalition Security does not provide insurance products and products and services may not be available in all countries and jurisdictions. Non-insurance products and services may be provided by independent third parties, and may require separate payment.

Copyright © 2025. All rights reserved. Coalition, Coalition Control, Coalition Security and the Coalition logo are trademarks of Coalition, Inc. All other products and company names are the intellectual property of their respective brand owners.