Full Report
Cisco Talos has observed increased activity by malicious actors leveraging Direct Send as part of phishing campaigns. Here's how to strengthen your defenses.
Analysis Summary
# Best Practices: Reducing Abuse of Microsoft 365 Exchange Online Direct Send
## Overview
These practices address the security risks associated with Microsoft 365 Exchange Online's Direct Send feature, which allows unauthenticated devices (like printers or legacy apps) to send email into the tenant. Abuse of this feature bypasses standard authentication checks (SPF, DKIM, DMARC), enabling adversaries to conduct internal-looking phishing and Business Email Compromise (BEC) attacks. The goal is to maintain necessary business workflows while significantly reducing the attack surface.
## Key Recommendations
### Immediate Actions
1. **Enable Microsoft's `RejectDirectSend` Control:** Immediately enroll in the Public Preview of the `RejectDirectSend` control to begin blocking direct send paths where feasible, based on Microsoft's latest guidance.
2. **Restrict Egress Port 25:** Implement firewall rules to restrict outbound SMTP (port 25) traffic, ensuring only designated, authorized hosts are permitted to originate external SMTP traffic from the network.
3. **Monitor Authentication Anomalies:** Configure alerts to notify security teams immediately upon detection of internal domain messages that lack standard authentication (SPF/DKIM/DMARC results indicating failure or none).
### Short-term Improvements (1-3 months)
1. **Inventory Direct Send Dependencies:** Identify all devices, applications, and systems currently relying on Direct Send. Document their purpose and necessary sending scope.
2. **Implement Partner/Inbound Connectors:** For approved third-party services or known legacy devices that legitimately need to send using accepted domains, establish **certificate-based** or **IP-based partner/inbound connectors** instead of relying on anonymous Direct Send.
3. **Strengthen SPF Configuration:** Update Sender Policy Framework (SPF) records to use the **Soft Fail (`~all`)** policy, as recommended by M3AAWG and Microsoft, to reduce the impact of unauthorized sending sources while maintaining operational resilience during transition.
### Long-term Strategy (3+ months)
1. **Migrate Legacy Systems to Authenticated Submission:** Develop a phased migration plan to convert all identified legacy applications and devices identified in the inventory to use modern, authenticated submission methods (SMTP AUTH or modern APIs) instead of Direct Send.
2. **Enforce Modern Authentication:** Use Conditional Access or equivalent policies to actively block legacy authentication paths that are not required or justified, minimizing lateral movement vectors.
3. **Ensure Full Email Authentication Alignment:** Complete the enforcement of DomainKeys-Identified Mail (DKIM) signing across all legitimate sending sources and actively monitor DMARC aggregate reports to gain visibility into unauthenticated traffic patterns.
## Implementation Guidance
### For Small Organizations
- **Prioritize Inventory and Blocking:** Focus efforts on quickly identifying and migrating the most visible dependencies. If a device is not mission-critical, attempt to immediately block Direct Send for that source or force migration to a simple, IP-restricted relay.
- **Use Basic IP Restriction:** For devices that cannot use authentication, set up a very tightly scoped SMTP relay accessible *only* via specific, authorized source IP addresses.
### For Medium Organizations
- **Leverage Native Controls:** Focus on thoroughly testing and configuring the Microsoft provided `RejectDirectSend` control across different organizational scopes/groups before a blanket application.
- **Phased Connector Rollout:** Begin establishing IP or certificate-based partner connectors for known scanning/printing systems, systematically decommissioning the underlying Direct Send trust for those specific sources.
### For Large Enterprises
- **Develop Comprehensive Visibility Projects:** Prioritize leveraging Microsoft reporting (or third-party tools) to gain granular visibility into Direct Send usage before making significant configuration changes to prevent accidental business disruption.
- **Integrate Monitoring:** Ensure alerts for unauthenticated internal-looking mail are integrated into the central Security Information and Event Management (SIEM) system for correlation with wider threat telemetry.
- **Formal Change Management:** Mandate robust change management processes for disabling Direct Send paths, ensuring coordination across facilities, application owners, and security teams.
## Configuration Examples
Direct Send abusers exploit the mechanism by appearing as trusted internal/system traffic. The mitigation strategy relies on *shifting* the trusted mechanism from anonymous Direct Send to explicit, granular authentication methods:
| Goal | Configuration Best Practice | Mechanism to Use |
| :--- | :--- | :--- |
| **Replace Anonymous Send** | Configure the third-party application/device to use a verified credential set. | SMTP AUTH (with MFA conditionally enforced where possible) or Microsoft Graph API. |
| **Secure Legacy Devices** | Create a dedicated relay server or connector authorized only by its originating source. | **Partner Connector** (IP Address or Certificate-Based). The connector must be tightly configured within Exchange Online settings to receive mail for your accepted domains. |
| **Strengthen Domain Protection** | When configuring SPF, move away from a strict `-all` if necessary for hybrid/external transfers, but adopt `~all` (Soft Fail). | Update DNS TXT record for SPF. |
## Compliance Alignment
- **NIST CSF:** Primarily addresses **Identify** (ID.AM, ID.RA), **Protect** (PR.AC, PR.DS), and **Detect** (DE.CM).
- **ISO 27001/27002:** Aligns with controls related to access control (A.9), communications security (A.13), and supplier relationships (for third-party systems relying on the connector).
- **CIS Controls (v8):** Directly relates to Control 3 (Data Protection), Control 4 (Secure Configuration), and Control 8 (Account Management, specifically blocking legacy authentication).
## Common Pitfalls to Avoid
- **Hasty Blanket Disablement:** Disabling Direct Send entirely without first identifying and migrating dependencies can immediately disrupt critical business functions (e.g., invoice processing, automated notifications).
- **Ignoring Legacy Authentication:** Failing to address SMTP AUTH alongside Direct Send mitigation; attackers often pivot between unauthenticated and poorly authenticated paths.
- **Incomplete Inventory:** Assuming that all internal-sending devices use modern methods. Legacy workflows can be deeply nested, requiring thorough discovery before policy enforcement.
## Resources
- **Microsoft Public Preview Documentation:** Check for the latest guidance and availability of the `RejectDirectSend` control.
- **M3AAWG Email Authentication Recommended Best Practices:** Refer to this document for setting appropriate SPF policies (e.g., using Soft Fail `~all`).
- **Cisco Talos / Varonis / etc. Research:** Review detailed community research on observed attacker techniques to ensure detection logic is comprehensive.