Cyber Daily Report

None--securityboulevard.com
published date: 2025-08-29 00:00:00 UTC

None

Back in <a href="https://ironscales.com/blog/inside-job-attackers-are-spoofing-emails-with-m365s-direct-send">Part 1</a>, we walked through how attackers are using Microsoft 365’s Direct Send feature to spoof internal emails, making those messages look like they’re coming from a trusted domain.Now, Microsoft is tightening the screws with new controls and clearer guidance on how to shut that door before someone walks through it.This post breaks down what’s changed, what you need to do, and how to keep legitimate mail flowing while keeping the bad actors out.<div class="code-block code-block-12 ai-track" data-ai="WzEyLCIiLCJCbG9jayAxMiIsIiIsMV0=" style="margin: 8px 0; clear: both;"> <style> .ai-rotate {position: relative;} .ai-rotate-hidden {visibility: hidden;} .ai-rotate-hidden-2 {position: absolute; top: 0; left: 0; width: 100%; height: 100%;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback, .ai-list-block, .ai-list-block-ip, .ai-list-block-filter {visibility: hidden; position: absolute; width: 50%; height: 1px; top: -1000px; z-index: -9999; margin: 0px!important;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback {min-width: 1px;} </style> <div class="ai-rotate ai-unprocessed ai-timed-rotation ai-12-1" data-info="WyIxMi0xIiwxXQ==" style="position: relative;"> <div class="ai-rotate-option" style="visibility: hidden;" data-index="1" data-name="VGVjaHN0cm9uZyBHYW5nIFlvdXR1YmU=" data-time="MTA="> <div class="custom-ad"> <div style="margin: auto; text-align: center;"><a href="https://youtu.be/Fojn5NFwaw8" target="_blank"><img src="https://securityboulevard.com/wp-content/uploads/2024/12/Techstrong-Gang-Youtube-PodcastV2-770.png" alt="Techstrong Gang Youtube"></a></div> <div class="clear-custom-ad"></div> </div></div> </div> </div><h2 style="font-size: 24px;">What’s New from Microsoft?</h2><ol> <li> New ‘RejectDirectSend’ Feature</li> </ol>Microsoft has released a new tenant-wide control (in public preview) called RejectDirectSend. When enabled, it blocks unauthenticated emails from your own accepted domains—emails that don’t flow through a trusted connector.This is a big deal. Previously, attackers could spoof your domain and send messages straight to Exchange Online using port 25, bypassing SPF, DKIM, and other checks. Now, Exchange will reject that traffic automatically.<div class="code-block code-block-15" style="margin: 8px 0; clear: both;"> <script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-2091799172090865" crossorigin="anonymous" type="21b6c18c15b7683a4bd4789c-text/javascript"></script>  <ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-2091799172090865" data-ad-slot="8723094367" data-ad-format="auto" data-full-width-responsive="true"></ins> <script type="21b6c18c15b7683a4bd4789c-text/javascript"> (adsbygoogle = window.adsbygoogle || []).push({}); </script></div>You can turn it on with a single PowerShell command:Set-OrganizationConfig -RejectDirectSend $trueOnce enabled, Exchange will block unauthenticated internal spoof attempts and return this error to the sender:550 5.7.68 TenantInboundAttribution; Direct Send not allowed for this organization from unauthorized sources<ol start="2"> <li> Connector-Based Exceptions</li> </ol>If you have printers, scanners, line-of-business apps, or external services sending mail on your behalf, you’ll need to make sure those senders are authenticated. Microsoft recommends using an inbound partner connector with either IP or certificate-based authentication.<ol start="3"> <li> SPF & DMARC Still Matter</li> </ol>Even with the new feature, Microsoft emphasizes continuing to enforce SPF, DKIM, and DMARC correctly. Use ~all (soft fail) in your SPF policy if you need flexibility for legitimate third-party senders. Misconfigurations still cause both false positives and missed threats.<ol start="4"> <li> Better Logging and Visibility</li> </ol>For now, Microsoft’s RejectDirectSend control doesn’t show up in standard logs unless you’re looking. You’ll need to inspect traffic using Audit Logs or advanced queries (filtering by sender domain, authentication status, etc.). Make sure you have eyes on the metrics so you don’t accidentally block something important.<h2>What IRONSCALES Has Done to Protect Our Clients</h2>While Microsoft has tightened Direct Send controls, our team has already deployed targeted updates to protect customers against these attacks and the techniques threat actors rely on to sneak past basic authentication checks.Here’s what’s new in your IRONSCALES environment:<ul> <li>New Detection Logic Deployed – Covers “Direct Send” impersonation attempts, where attackers bypass traditional relay checks and pose as trusted internal users.</li> <li>Enhanced Attachment Scanning – Added specific rules for prominent extensions including but not limited to SVG and HTML payloads, which are frequently used to hide phishing links or embedded malicious code.</li> <li>Improved Cross-Module Consistency – Detection modules now share results more effectively, reducing situations where one module spotted suspicious activity but the verdict wasn’t reflected in the final classification.</li> <li>Ongoing Tuning – Our Security Research team continuously fine-tunes detection logic to maximize catch rates while keeping false positives low.</li> </ul>What this means in practice: These updates allow us to automatically detect and remediate emails that previously had a higher chance of slipping through — including internal impersonation attacks via Direct Send and phishing attempts hidden in less common attachment types like SVG or HTML.You don’t need to take any action — these protections are already live and active across your mailboxes.<h2 style="font-size: 24px;">Action Items: What You Should Do Today </h2><table style="border-collapse: collapse; table-layout: fixed; margin-left: auto; margin-right: auto; border: 1px solid #99acc2; width: 100%; height: 482px;"> <tbody> <tr style="height: 49px;"> <td style="border: 1pt solid windowtext; width: 7.97709%; text-align: center; height: 49px; background-color: #004491;"> </td> <td style="border: 1pt solid windowtext; width: 92.0229%; height: 49px; background-color: #004491; vertical-align: bottom; text-align: center;">Steps To Take</td> </tr> <tr style="height: 77px;"> <td style="border: 1pt solid windowtext; width: 7.97709%; text-align: center; height: 77px;"> 1 </td> <td style="width: 92.0229%; height: 77px;"> Inventory all systems or apps using Direct Send (like printers, email alerts, Azure Comm Services, etc.) </td> </tr> <tr style="height: 79px;"> <td style="border: 1pt solid windowtext; width: 7.97709%; text-align: center; height: 79px;"> 2 </td> <td style="width: 92.0229%; height: 79px;"> Update your SPF record with the IPs of legitimate senders; use soft fail (~all) to avoid bouncebacks </td> </tr> <tr style="height: 79px;"> <td style="border: 1pt solid windowtext; width: 7.97709%; text-align: center; height: 79px;"> 3 </td> <td style="width: 92.0229%; height: 79px;"> Enable RejectDirectSend: Set-OrganizationConfig -RejectDirectSend $true </td> </tr> <tr style="height: 49px;"> <td style="border: 1pt solid windowtext; width: 7.97709%; text-align: center; height: 49px;"> 4 </td> <td style="width: 92.0229%; height: 49px;"> Create inbound connectors for authenticated traffic using IP or certificate validation </td> </tr> <tr style="height: 51px;"> <td style="border: 1pt solid windowtext; width: 7.97709%; text-align: center; height: 51px;"> 5 </td> <td style="width: 92.0229%; height: 51px;"> Monitor rejected mail for the 550 5.7.68 error to catch misconfigured systems </td> </tr> <tr style="height: 49px;"> <td style="border: 1pt solid windowtext; width: 7.97709%; text-align: center; height: 49px;"> 6 </td> <td style="width: 92.0229%; height: 49px;"> Coordinate with app/device owners to migrate away from anonymous port 25 </td> </tr> <tr style="height: 49px;"> <td style="border: 1pt solid windowtext; width: 7.97709%; text-align: center; height: 49px;"> 7 </td> <td style="width: 92.0229%; height: 49px;"> Stay ready — Microsoft will eventually enable this control by default for all new tenants </td> </tr> </tbody> </table> Q&A: What You Need to KnowQ: What happens if a printer or line-of-business app sends mail after I enable RejectDirectSend? A: If that traffic isn’t authenticated through a connector, Exchange will block it with the 550 5.7.68 error. This means the sender is trying to impersonate your domain without permission. The fix is simple: set up an inbound connector that validates via IP or certificate. You get to define who’s allowed to speak for your domain.Q: Is Direct Send the same as regular email delivery? A: Not quite. Direct Send means sending email from your accepted domain to Microsoft 365 without authentication. Microsoft has clarified that not all unauthenticated mail is Direct Send—but when it comes from your domain, it should be protected. Otherwise, it’s a spoof waiting to happen.Q: Can SPF or DMARC catch this kind of spoofing without the new control? A: Sometimes—but not always. SPF only works if the receiving server checks it and the sending IP is on your allowlist. DMARC depends on SPF/DKIM passing and domain alignment. If an attacker sends mail directly via port 25 with a forged header, SPF and DKIM checks often aren’t enforced. That’s why Microsoft introduced RejectDirectSend—to cut this loophole off entirely.Q: I’m not sure what’s using Direct Send in our environment. How do I avoid breaking things? A: Start with monitoring. Look for emails coming from your domain without authentication or connector attribution. Microsoft recommends auditing sender traffic by IP and filtering on the SenderMailFromAddress field. Once you’ve identified your legit sources, build connectors and test before flipping the switch.<h2 style="font-size: 24px;">Final Thoughts</h2>Microsoft’s new RejectDirectSend feature is an important step toward closing a loophole that attackers have exploited for years. But it’s only part of the picture. Threat actors move fast, and no single control — whether SPF, DMARC, or tenant-wide settings — is enough to keep pace on its own.That’s why IRONSCALES has already gone further. With new detection logic, enhanced attachment scanning, and continuous tuning from our security research team, we’re making sure these same tactics are detected and remediated automatically at the inbox level. You don’t need to wait for policies to roll out either. This protection is already live and active.We’re here to help if you want to talk through how these changes impact your environment, or if you’d like a deeper look at how IRONSCALES complements Microsoft 365 to shut down advanced impersonation and phishing techniques before they reach your users.<img decoding="async" src="https://track.hubspot.com/__ptq.gif?a=20641927&k=14&r=https%3A%2F%2Fironscales.com%2Fblog%2Fpart-2-microsoft-cracks-down-on-direct-send-spoofing&bu=https%253A%252F%252Fironscales.com%252Fblog&bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2025/08/microsoft-and-ironscales-crack-down-on-the-direct-send-exploit/" data-a2a-title="Microsoft and IRONSCALES Crack Down on the Direct Send Exploit"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F08%2Fmicrosoft-and-ironscales-crack-down-on-the-direct-send-exploit%2F&linkname=Microsoft%20and%20IRONSCALES%20Crack%20Down%20on%20the%20Direct%20Send%20Exploit" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F08%2Fmicrosoft-and-ironscales-crack-down-on-the-direct-send-exploit%2F&linkname=Microsoft%20and%20IRONSCALES%20Crack%20Down%20on%20the%20Direct%20Send%20Exploit" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F08%2Fmicrosoft-and-ironscales-crack-down-on-the-direct-send-exploit%2F&linkname=Microsoft%20and%20IRONSCALES%20Crack%20Down%20on%20the%20Direct%20Send%20Exploit" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F08%2Fmicrosoft-and-ironscales-crack-down-on-the-direct-send-exploit%2F&linkname=Microsoft%20and%20IRONSCALES%20Crack%20Down%20on%20the%20Direct%20Send%20Exploit" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F08%2Fmicrosoft-and-ironscales-crack-down-on-the-direct-send-exploit%2F&linkname=Microsoft%20and%20IRONSCALES%20Crack%20Down%20on%20the%20Direct%20Send%20Exploit" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>*** This is a Security Bloggers Network syndicated blog from <a href="https://ironscales.com/blog">Blog</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by James Savard">James Savard</a>. Read the original post at: <a href="https://ironscales.com/blog/part-2-microsoft-cracks-down-on-direct-send-spoofing">https://ironscales.com/blog/part-2-microsoft-cracks-down-on-direct-send-spoofing</a>