If your team uses Microsoft 365, there is a phishing attack making the rounds right now that most teams aren’t prepared to recognize yet. It does not look suspicious. It does not come from a sketchy outside address. In many cases, it appears to come from the employee themselves, or from someone right down the hall.
This is the Microsoft 365 Direct Send phishing scam, and it has been quietly compromising businesses since mid-2025. And the campaigns are still active and opportunistic, meaning your business does not need to be "interesting" to get hit.
Here is what every business owner needs to understand, and what to do about it before someone on your team clicks the wrong thing.
Direct Send is a built-in Microsoft 365 feature that lets devices and applications send email into your organization without logging in first. It exists for a good reason: copiers, scanners, alarm systems, line-of-business apps, and older internal tools were never built to authenticate the way a user does.
A scanner emails a PDF to an employee. A monitoring tool fires off an alert. A legacy application sends a payment notification. All of that runs through Direct Send.
The problem is that "no login required" was always a tradeoff. And in 2025, attackers figured out how to weaponize it.
To pull off this scam, an attacker does not need to hack anyone's password. They do not need to break into your Microsoft 365 tenant. They just need two things: a valid internal email address and your company's MX record (which is publicly visible).
From there, they use simple SMTP tools or scripts to send messages through your Microsoft 365 tenant’s mail routing. The result is a phishing email that:
Common subject lines include "Caller Left VM Message," "New Fax Received," "Scanned Document Attached," and fake shared-document or HR notices. Most contain a PDF or HTML attachment with an embedded QR code. Scan the code, and you land on a fake Microsoft 365 login page designed to steal credentials and multi-factor authentication approvals. (Varonis, BleepingComputer)
When Varonis first published its analysis of the campaign, researchers had identified more than 70 affected organizations, with 95% of victims based in the United States. Over 90% of targets fell into six industries:
That list should look familiar. It is not a coincidence, those are industries where invoices, scanned documents, voicemail forwards, and "shared file" links are part of the normal daily workflow. Attackers blend in by mimicking the email traffic your team already expects.
By April 2026, the campaigns have widened well beyond that initial 70. Microsoft Threat Intelligence describes the activity as "opportunistic rather than targeted", meaning attackers are casting wide nets across multiple industries and verticals, not picking specific victims. If your business uses Microsoft 365, you are in the target pool by default.
The short answer: trust.
This is a shift from “breaking into systems” to “blending into workflows.”
And that’s where most traditional security strategies fall short.
Your team has been rightly trained to be cautious of emails from outside vendors, unknown senders, and obvious red flags. But internal email gets a free pass. People assume that if a message is coming from inside the building, it has already been vetted.
Direct Send phishing exploits that exact assumption. The "From" address looks internal. The headers say InternalOrgSender: True. There is no big yellow banner warning the recipient that this came from outside. By the time an employee notices the QR code or the slightly-off login page, they have already scanned, clicked, and entered their credentials.
This is why we tell our clients: internal-looking does not mean safe. Not anymore.
There are a few telltale signs your team should know about:
The "From" and "To" addresses are identical — the email looks like it was sent to yourself. The header field X-MS-Exchange-Organization-AuthAs reads "Anonymous." The message includes a QR code embedded in a PDF or image (a tactic known as quishing), often paired with urgent language: "voicemail expires today," "review immediately," "approve this payment." The sender shows as a coworker or shared mailbox, but the message style does not match how that person normally writes.
If something feels off, it probably is. The fastest way to verify a suspicious internal email is to pick up the phone or send a Teams message to the supposed sender. Two minutes of friction beats two months of incident response.
A successful Direct Send phishing attack is rarely a one-employee problem. Once an attacker has Microsoft 365 credentials, they typically:
The financial damage adds up fast. Wire fraud, ransomware exposure, regulatory reporting obligations, client notification costs, downtime, and the much harder-to-quantify hit to your reputation. One click on one QR code can absolutely become a six-figure event.
The good news is that this is a fixable problem, but it requires a deliberate review of your Microsoft 365 environment. These are the steps every business should take right now.
1. Enable "Reject Direct Send" in Exchange Admin Center
Microsoft introduced controls (including Reject Direct Send) in April 2025 to limit this behavior. When enabled, Exchange Online will reject unauthenticated messages claiming to come from your own domain. (Varonis)
Before flipping this on, your IT team needs to know which of your devices and applications legitimately rely on Direct Send — copiers, scanners, monitoring tools, line-of-business apps. Those should be migrated to authenticated SMTP submission or routed through an approved connector first. Otherwise, you risk breaking real business workflows.
2. Lock Down SPF, DKIM, and DMARC
Email authentication records are not new, but plenty of businesses still have them in p=none reporting mode. Move DMARC to p=reject, verify your SPF record actually includes every sending source, and confirm DKIM is signing properly.
3. Implement Custom Header Stamping
Stamp inbound mail with a custom header that your security tools can verify. This makes it easier to detect messages that claim to be internal but did not actually originate from a trusted source. Your IT provider should handle this — it is a standard Exchange Online configuration.
4. Treat QR Codes in Email as Hostile by Default
QR-code phishing — quishing — has exploded since Microsoft and others started flagging it as a major attack pattern in 2023. The reason attackers love QR codes is that they move the victim from the protected work computer onto a personal phone, which usually has weaker security controls.
Train your team on a simple rule: Do not scan QR codes that arrive in email. Especially not for voicemail, fax, document review, MFA reset, payroll, benefits, or login prompts. If you would not click the link, do not scan the code.
5. Modernize Multi-Factor Authentication
Basic SMS-based MFA can still be phished. Move toward phishing-resistant MFA — passkeys, FIDO2 security keys, or Microsoft Authenticator with number matching enabled. If your team is still approving push notifications without verifying them, you are one careless tap away from a breach.
6. Train Employees on the New Reality
Old-school phishing training focused on "look for the misspelled domain" and "watch for the external sender warning." Both still matter. But your team needs to hear, clearly, that an email coming from inside the company can absolutely be a phishing attempt.
The new rule is simple: When in doubt, verify another way. Call the person. Walk down the hall. Send a Teams message. Do not trust an inbox alone.
7. Monitor for the Warning Signs
Your IT or cybersecurity provider should be actively watching for indicators of internal spoofing: emails sent from a user to themselves, messages failing authentication checks, QR codes inside PDF attachments, unexpected voicemail or fax notifications, login attempts from unusual locations following a suspicious email. If your provider is not watching for any of this, that is a conversation worth having.
Here is the part most business owners do not want to hear. Direct Send abuse has been a known threat since May 2025. The "Reject Direct Send" setting has existed since April 2025. Microsoft, Varonis, Proofpoint, and the New Jersey Cybersecurity & Communications Integration Cell have all published detailed advisories.
So the question is not whether the threat is real or whether the fix exists. The question is whether your current IT support has actually reviewed your Microsoft 365 tenant and made the changes, or whether they have been "keeping the lights on" while a known phishing campaign hits hundreds of businesses a day.
At Teknologize, we believe technology should be the wind at your back, not the anchor dragging you down. That includes the security configuration sitting underneath your day-to-day operations. If nobody has explicitly walked through your Microsoft 365 environment to address this, your business is exposed — and you probably do not even know it.
What is Microsoft 365 Direct Send?
Microsoft 365 Direct Send is an Exchange Online feature that lets devices and applications send email to internal recipients without authenticating first. It is commonly used by copiers, scanners, monitoring tools, and older line-of-business apps.
Why is Direct Send a security risk in 2026?
Because it accepts messages without authentication, attackers can use it to send phishing emails that look like they came from inside your organization. Since mid-2025, this has become an active and ongoing campaign — Microsoft has observed increased visibility and use of this attack vector since May 2025, and the attacks continue today.
Does this mean my Microsoft 365 was hacked?
No. The attacker does not need to hack into your tenant or steal a password. They abuse the Direct Send feature itself. That is what makes this attack so easy to scale and so hard to detect.
What is QR code phishing or quishing?
Quishing is a phishing attack that uses a QR code instead of a clickable link. The QR code typically leads to a fake login page, and it forces the victim onto a personal device that may not be protected by company security tools.
How do I tell if an email is a Direct Send phishing attempt?
Watch for emails that appear to come from yourself, internal voicemail or fax notices you were not expecting, QR codes embedded in PDF attachments, urgent payment or login requests, and messages where the writing style does not match the supposed sender. Headers may show AuthAs: Anonymous or unusual originating IPs.
Should my business disable Direct Send entirely?
If you are not using Direct Send for any legitimate device or application, yes — disable it or enable the "Reject Direct Send" setting in Exchange Admin Center. If you are using it, those systems should be migrated to authenticated SMTP or an approved connector before locking it down. Either way, the current default exposure is not acceptable in 2026.
How quickly should we act on this?
Now. With opportunistic campaigns running continuously since May 2025 and millions of related malicious emails blocked monthly, "we'll get to it next quarter" is not a defensible answer.
Direct Send abuse is one threat. There are dozens of others quietly sitting in most Microsoft 365 environments, networks, and endpoint configurations right now — and most business owners have no idea where their real exposure actually is.
Teknologize offers a free vulnerability assessment to help you find out. No scare tactics. No sales pitch dressed up as a report. Just a clear, practical look at where the gaps are and what it would actually take to close them — so technology is working for your business instead of quietly putting it at risk.
If you are responsible for keeping your business running, this is worth 30 minutes of your time.
Schedule your free vulnerability assessment →
Or call us directly at (509) 396-6640.
👉 Book a Discovery Call to see how Teknologize can support your business.
Our Offices
Tri-Cities, Washington – 509.396.6640 | Yakima, Washington – 509.396.6640
Bend, Oregon – 541.848.6072 | Seattle, Washington – 206.743.0981
Questions about your IT or Cybersecurity? Give us a call today!