Menu
By Cian Fitzpatrick | 10th October 2025
Cybercriminals are a clever bunch and they’re getting smarter about how they disguise phishing emails. One recent example involves a Microsoft 365 feature called Direct Send. It was designed to make life easier by letting certain devices send emails without logging in. However, this convenience is capable of being exploited.
Evidence shows that attackers are using Direct Send to send emails that look like they come from within a company. No accounts are hacked and no passwords are stolen. Instead, the attackers are taking advantage of the way Microsoft 365 lets some systems send messages without authentication.
Direct Send is a built-in Microsoft 365 feature that lets devices like printers, scanners or internal systems send emails straight to users without needing to sign in. In a trusted environment, it’s easy to see how this feature can make everyday office tasks easier and save time.
Yet this same convenience also holds the door open to risk.
All it takes is for a cybercriminal to know your organisation’s Microsoft 365 tenant name and the email address of someone inside your company. They can then use that information to send what looks like a genuine internal email. To the recipient, it appears to come from a trusted colleague or system. However, in reality the email has been sent from outside the organisation.
In this particular type of phishing attack, cybercriminals send emails that look like voicemail or fax notifications. Each message contains either a PDF attachment or a QR code that leads to a fake login page. Once recipients scan the code or open the file, they are taken to a convincing Microsoft 365-style website that prompts them to enter their login credentials.
Security blockers let these messages pass because they appear to come from within the organisation. While the message headers showed clear signs of forgery, such as external IP addresses and failed authentication checks, those details are hidden from most users and can easily slip past default filters.
This type of phishing attack shows how sophisticated cyber threats have become.
Modern attackers no longer rely on breaching accounts. They now manipulate the systems we trust most. By exploiting legitimate Microsoft 365 features, bad actors can send believable messages that bypass basic email defences and take advantage of human trust.
When an employee sees what appears to be an internal email, the likelihood of them clicking a link or entering a password increases significantly. This highlights the need for stronger email protection and continuous cybersecurity awareness across every level of the business.
This is a threat worth paying attention to. The good news is that there are clear and practical steps your organisation can take to stay protected.
The Direct Send exploit is a reminder that strong security is about more than just technology. It is about understanding how systems behave and where vulnerabilities may appear. Cybercriminals will always look for convenience features they can twist to their advantage.
To stay secure, organisations must combine the right tools, the right policies and the right culture. Everyone plays a role, from leadership teams setting the tone for security awareness to employees practising safe email habits every day.
Our team specialises in keeping businesses safe from phishing and spoofing attacks. With Topsec’s email security in place, harmful messages are stopped and filtered out long before they ever reach your inbox.
We help organisations implement robust Microsoft 365 security configurations, strengthen DMARC policies and raise staff awareness of new threats.
Cyber threats continue to evolve, but you can stay one step ahead. With Topsec as your partner, you gain continuous visibility, expert guidance and proven protection for your most important communications. Together, we make your organisation safer, stronger and more resilient in an increasingly digital world.
Contact us today for a no obligation call to discover how we can help your organisation stay safe.
