Many organizations use “Direct Send” in Microsoft 365 so devices like printers or scanners can email documents without logging in. It’s convenient — but it also opens a door that attackers love to walk through.

Because Direct Send doesn’t require authentication, it becomes much easier for someone to send emails pretending to be you or your organization. That’s where the risk comes in.

“So why not just block it?”

You can — and in some cases you should. But that’s a bit like saying, “To avoid computer viruses, just never go online.” It’s not always practical.

How attackers take advantage

Cybercriminals are now using Phishing‑as‑a‑Service tools to send huge volumes of fake emails that look like password resets, HR notices, invoices, or internal alerts. When Direct Send is open, spoofing your domain becomes much easier.
What you can do to protect your organization
• Use the security tools you already have to block or quarantine suspicious emails.
• Make sure your SPF and DMARC settings are correct so only legitimate systems can send mail on your behalf.
• Avoid simply “whitelisting” IP addresses — it often creates more problems than it solves. Use proper connectors and anti‑spoofing rules instead.
• If your internal devices need to send email, consider switching them to SMTP authenticated methods. Sometimes the tried‑and‑true approach is the safest one.

Most importantly: monitor. Email security isn’t a one‑time fix. It requires ongoing attention and regular check‑ups.

Phishing actors exploit complex routing and misconfigurations to spoof domains