We’re seeing a rise in phishing campaigns that use Microsoft 365’s own infrastructure to deliver messages that look like they came from inside your organization.
These attacks don’t always rely on compromised accounts. In many cases, attackers are abusing a feature called “Direct Send,” which allows devices and applications to send email into your tenant without authentication.
When this happens, the messages can appear internal and may not be evaluated the same way as external email. That’s why they sometimes slip past filtering controls and land in user inboxes.
When these emails get through, the IT provider is often the first place people look. But this isn’t always a failure of filtering or monitoring.
What’s really going on:
Direct Send is a legitimate feature designed for things like printers and line-of-business apps. If it’s not restricted, it can be used to submit messages that appear to come from your domain.
Email authentication standards like SPF, DKIM, and DMARC still matter—but they don’t always fully protect against this type of traffic on their own.
What this means for your business:
Your IT provider can monitor, filter, and respond to threats—but they don’t control every pathway into your environment.
If Direct Send is enabled or unrestricted, or if email authentication policies are incomplete, there are gaps that attackers can take advantage of.
This is why email security is not just a product—it’s a configuration and ownership issue.
Next steps:
Review how Direct Send is configured (or whether it’s needed at all). Make sure only known systems are allowed to use it—or disable it entirely if possible. Strengthen SPF, DKIM, and DMARC policies so spoofed messages are rejected wherever possible. Continue user awareness training—because even internal-looking emails can be malicious.
Security is a shared responsibility. Your IT provider is a partner, but your tenant configuration and domain controls are also part of your defense.
