Varonis Threat Labs discovered a phishing campaign exploiting Microsoft 365’s Direct Send feature to send spoofed internal emails without authentication. The attack has targeted over 70 mainly US-based organizations, using spoofed voicemail notifications with malicious PDF attachments to harvest credentials. #DirectSend #Microsoft365 #VaronisThreatLabs
Keypoints
- The phishing campaign abuses Microsoft 365’s Direct Send feature, allowing unauthenticated sending of emails appearing from internal users.
- The attack started in May 2025 and has consistently targeted more than 70 organizations, mostly in the US, across various industries.
- Attackers used PowerShell to send spoofed emails via the smart host, bypassing Microsoft’s and third-party email security filters.
- Key indicators include failed SPF, DKIM, and DMARC checks, emails sent from external IPs through tenant smart hosts, and suspicious behavior such as users emailing themselves.
- The phishing emails often mimicked voicemail notifications with PDF attachments containing QR codes redirecting to credential-harvesting phishing sites.
- Preventive measures include enabling “Reject Direct Send,” enforcing strict DMARC policies, reviewing unauthenticated internal emails, and educating users about QR code phishing risks.
- Varonis offers threat detection and managed response services tailored to detect and mitigate such attacks on Exchange Online environments.
MITRE Techniques
- [T1566] Phishing – Attackers sent phishing emails spoofed as internal voicemail notifications, using QR codes to redirect victims to credential-harvesting sites (“emails were crafted to resemble voicemail notifications, complete with a PDF attachment…redirected users to a phishing site”).
- [T1071.001] Application Layer Protocol: Web Protocols – Use of Microsoft 365 Direct Send smart host to send malicious emails without authentication (“attacker used PowerShell to send spoofed emails via the smart host…no login or credentials are required”).
- [T1110] Brute Force – Although no direct login attempts were made, attackers bypassed authentication by exploiting configuration weaknesses (“no login events, only email activity…Direct Send abuse”).
Indicators of Compromise
- [IP Addresses] External IPs used to send spoofed emails – 139.28.36[.]230 and multiple in the 139.28.X.X range.
- [Domains] Phishing sites linked to campaign – hxxps://voice-e091b.firebaseapp[.]com, hxxps://mv4lh.bsfff[.]es.
- [Email Subject Lines] Typical phishing subjects – “Caller Left VM Message * Duration-XXXX for XXXX,” “Fax-msg mm/dd/yyyy, hh:mm:ss AM/PM (2 Pages) RefID: XXXX,” “New Missed Fax-msg,” and similar variants.
- [Email Attachments] Filenames including ‘Fax-msg’, ‘Caller left VM Message’, or ‘Listen’.