Microsoft Exchange includes a feature known as Direct Send that lets devices and apps send emails through your Exchange setup while bypassing any authentication requirements (like a username and password) that you have in place.
According to Microsoft, it's for use when "a legacy device or application" on your network — like a photocopier, printer, or fax server — needs to send or receive emails but doesn't support any other method of doing so. It's also ripe for abuse by bad actors, particularly if you are unfamiliar with how Direct Send works.
How the Attacks Work
Cybercriminals can exploit Direct Send in order to steal information, gain access to your systems, and wreak all sorts of havoc within your organization. Michael Enos, vice president of infrastructure security and compliance at TechSoup, says that phishing attacks sent via Direct Send can be very difficult to identify via normal means.
According to Enos, in one attack method, cybercriminals will find content written by nonprofit staff on LinkedIn or other public platforms, and then instruct an AI chatbot to write a phishing email in that person's writing style. They will then use Direct Send to distribute that email to other employees or volunteers of that organization.
The email will look legitimate right down to the email headers — the bits of data that sit alongside the message and provide information on who sent the message and how they sent it.
"There's nothing [visibly] wrong with it," Enos says. "That's how dangerous this is."
An Ongoing Risk
Phishing attacks that use Direct Send aren't new — for example, UK security firm JumpSec highlighted the risk back in 2023 — but our partners at Tech Impact have recently seen an uptick in such attacks that target nonprofits.
"This feature has been the target of a renewed effort of automated attacks which abuse the perimeter of 365 and its Exchange Online service by sending specially crafted messages directly to the mail system," Brad Bornman of Tech Impact wrote in an email to its partners.
"Because the response originates from within the system, it does not get filtered by security measures in place such as Domain Name Service (DNS) records, Microsoft Defender for Office, or any other security products."
This recent wave of attacks was particularly broad. "While Direct Send has been abused before, these recent attacks were notable for both their volume and the number of tenants impacted," Francis Johnson, the chief technology office at Tech Impact, added in an email to TechSoup.
If You Don't Need Direct Send, Turn It Off
If you manage Microsoft 365 for your organization and have never heard of Direct Send before, there's a good chance that you don't need it and can safely turn it off. In fact, Microsoft itself says that "[m]ost customers don't need to use Direct Send."
In April, 2025, Microsoft added a "Reject Direct Send" feature to Exchange Online that allows you to block this feature. Microsoft explains how to do so in this blog post.
"When correctly configured and managed, Direct Send is a secure and viable option," Microsoft's documentation says. "But customers run the risk of misconfiguration that disrupts mail flow or threatens the security of their communication."
Thumbnail photo: Shutterstock
