Direct Send abuse on Microsoft 365: Just another failed authentication

Sublime's Attack Spotlight series highlights the detection and prevention of phishing attacks using Microsoft 365's Direct Send feature, which allows unauthenticated messages to be sent to mailboxes, potentially bypassing inline email security solutions. Despite its legitimate uses, such as sending emails from internal devices and applications, Direct Send can be exploited by attackers for phishing by spoofing emails within a tenant. Sublime's AI-powered detection engine effectively identifies and stops these attacks by analyzing various indicators, such as failed authentication, self-sender patterns, and encoded threats within attachments, rather than relying solely on Direct Send as a malicious indicator. Examples include phishing attempts using QR codes and SVG files with embedded malicious scripts, demonstrating the importance of comprehensive email analysis techniques. The series encourages staying informed through their blog and newsletter to keep up with evolving email threat landscapes.