Arctic Wolf has recently observed a widespread phishing campaign targeting multiple organizations by abusing Microsoft 365’s Direct Send feature—a feature designed for internal email delivery without requiring authentication. Threat actors can identify valid domains and recipients, then send spoofed emails that appear to originate from internal domains—often impersonating the user themself—without needing credentials or access to the tenant.
Initial observations of this campaign began in early July, shortly after Varonis Threat Labs publicly disclosed similar findings. Spoofed emails often took the form of internal communications, such as voicemail notifications, and contained PDFs embedded with phishing QR codes (a tactic known as quishing). Threat actors leveraged PowerShell to automate the delivery of these emails through smart hosts.
These messages are routed through Microsoft infrastructure (e.g., company-com.mail.protection.outlook.com) to bypass common email security controls, making this a low-effort but effective phishing method. This campaign appears to be an escalation of previous activity observed by Arctic Wolf, in which spoofed emails appearing to originate from internal users targeted the legal sector, but it has now expanded to multiple industries.
Arctic Wolf is a customer of its own products/services and so we will follow the same recommendations outlined for our customers in this Security Bulletin.
Recommendations
Enable Reject Direct Send
Enable the ‘Reject Direct Send’ option in the Exchange Admin Center to block unauthenticated emails that appear to originate from internal domains.
- Combine this with a strict DMARC p=reject policy and SPF hard-fail for added protection.
Avoid Engaging with Unsolicited Emails and Attachments
Users should exercise caution when handling unexpected emails, especially those with unusual subject lines or attachments, and avoid clicking links or opening files unless the sender’s identity can be confidently verified.
Enable Multi-Factor Authentication (MFA)
Organizations should ensure MFA is enabled across all user accounts to reduce the risk of unauthorized access. In the event a user falls for a phishing attempt, MFA can provide an additional layer of security that may prevent threat actors from successfully accessing internal systems.