Think you can spot a phishing email? This new trick is harder to catch

Many people are getting better at spotting phishing attacks from outside sources. But what if the attack appears to come from within your own company? A recently discovered vulnerability in Microsoft 365 is being used to bypass traditional security, making it easier than ever for hackers to send you convincing fake emails that slip past your defenses.

The sneaky trick, explained

At the heart of this new threat is a Microsoft 365 feature called Direct Send. It was created for a simple, helpful reason: to allow internal office devices, such as printers and scanners, to send you emails — such as a scanned document — without needing to log in with a password. This feature is designed for convenience and is intended only for internal use.

However, this convenience has created a security loophole. Because Direct Send doesn’t require authentication, hackers have found a way to exploit it to send phishing emails without needing to steal a single password or compromise any accounts. All they need is a few publicly available details and some guesswork to figure out your company’s email address format.

Once an attacker has a valid internal email address, they can use the Direct Send system to send emails that look like they’re from someone inside your organization. And because these emails are routed through Microsoft’s own infrastructure and appear to be internal, they often bypass the very security filters designed to catch suspicious messages.

In a recent campaign that affected over 70 organizations, attackers used this method to send fake voicemail notifications containing malicious QR codes, which tricked users into visiting websites that stole their Microsoft 365 credentials.

What you can do: Stay alert

While the technical fix is up to your IT team, everyone can help prevent these attacks by being cautious.

• Be suspicious of the sender – Even if an email looks like it’s from a coworker, be wary if the request is unusual.
• Question internal notifications – Employees are used to seeing notifications from scanners and printers, so they rarely question their authenticity. Think twice before opening attachments or clicking links in automated messages.
• Beware of QR codes – Be very careful about scanning QR codes you receive in emails, as they may lead you to malicious websites.
• Report, don’t reply – If you see a suspicious email, report it to your IT department immediately.

For your IT department: The technical fix

This attack exploits a misconfiguration, not an impossible-to-stop, zero-day threat. Your technical team can take several steps to shut this vulnerability down.

• Implement strict policies – Enforce strict DMARC and anti-spoofing policies to make it harder for fakes to get through. You should also enable “SPF hardfail” in Exchange Online Protection.
• Disable or reject Direct Send – Microsoft is working to disable Direct Send by default. In the meantime, you can enable the “Reject Direct Send” setting in the Exchange Admin Center to block this type of attack.
• Flag unauthenticated mail – Set up rules to flag any unauthenticated internal emails for review.
• Secure your devices – Treat all network-connected devices, such as printers and scanners, as fully fledged endpoints. This means putting them on segmented networks, monitoring their activity, and restricting what they are allowed to do.

Don’t wait for an attack to test your defenses. Contact our cybersecurity experts today for help securing your email systems and for more information on how to protect your organization.