Lots of phishing? Recipients same as Sender? Turn off Direct Send
Posted by SemicolonMIA@reddit | sysadmin | View on Reddit | 27 comments
Just posting this here because I am seeing a lot of threads regarding this. Your uptick is likely direct send. It seems to be hitting a lot of orgs with it turned on. I updated my tenant today and the issues were resolved.
Symptoms are upticks in phishing emails where the sender appears to be the same as the recipient
https://techcommunity.microsoft.com/blog/exchange/introducing-more-control-over-direct-send-in-exchange-online/4408790
Educational_Boot315@reddit
Yep, been dealing with this since Friday and turning off direct send seemed to have resolved it. SPF/dkim/dmarc reject already set up didn’t.
Already had smtp2go set up so… anything that breaks because of the change was shadow IT anyways.
SimpleSysadmin@reddit
Hasn’t this broken your smtp2go mail? As that would be defined as direct send if that is being used to send to internal staff addresses?
ArboriaTS@reddit
If anyone in this thread needs to turn off the Direct send in bulk, there is a "trending hotfixes" page in https://t3nantwiz.com/ that helps you do this in bulk to your tenants. There's a free trial that doesn't require credit card so its quick and painless.
Suspicious-Feed-5667@reddit
If anyone in this thread needs to turn off the Direct send in bulk, there is a "trending hotfixes" page in https://t3nantwiz.com/ that helps you do this in bulk to your tenants. There's a free trial that doesn't require credit card so its quick and painless.
Gumbyohson@reddit
I thought Direct send was only an issue if spf dkim and dmarc aren't maintained.
DominusDraco@reddit
Nope, it bypasses both. Which is why so many people are being caught out. The same reason I was a few months back. All your SPF and DMARC is in order and the phishing emails still came though.
SimpleSysadmin@reddit
No it doesn’t, or at least normal direct send doesn’t.
I knowhenif I setup sendgrid for a scam to email situation and direct send to a tenancy we see failures and have to add to the spf Record and/or dkim for it to be delivered and pass those check. And it wouldn’t make sense for Microsoft to just ignore standards like this that have existed for ages just because it’s from the same domain as the tenancy
Jaki_Shell@reddit
He is actually right, it does bypass both.
Microsoft uses CompAuth ; It's essentially their own internal proprietary "email authentication" mechanism. So both SPF and DMARC could fail, but if DirectSend was used, CompAuth might pass and then e-mail would go through.
You would be able to see this in the headers, something like compauth=pass
So yeah its Microsoft ignoring standards that have existed for ages, so their own AI can determine if its legit.
Gumbyohson@reddit
I think you have to enable the DMARC handling on the defender for office policy settings: "Honor DMARC record policy when the message is detected as spoof (HonorDmarcPolicy)".
New security standard policy and recommended default is true here. Older tenancies or misconfigured policies might not.
SimpleSysadmin@reddit
Compauth uses spf, dkim and dmarc as part of its evaluation. I could see this passing if there is weak or no dmarc policy as its its best effort but I’d be extremely surprised if compauth ignored dmarc in reject status in even some cases.
I know for certain it does not bypass as I’ve seen many times, first hand, that spf will fail when using third party sending services without updating spf records.
It’s possible there are edge cases where compauth takes precedence but I’d say it’s unreasonable to assume Microsoft’s been allowing dmarc bypasses for all direct send traffic - especially as you can validate this with any third party sending service
https://learn.microsoft.com/en-us/defender-office-365/email-authentication-about
Specialist_Guard_330@reddit
I thought the same
Excellent-Program333@reddit
Yup did this yesterday. Broke scan to email on copiers. No big deal. Setup a connector in Exchange Admin with the IP’s for Mailhop that we use for SMTP. Thanks for getting the word out!
SimpleSysadmin@reddit
Can you confirm if these emails were failing dmarc?
Regardless of if you’ve turned on the new ish rejectdirectsend option Microsoft mentions in that post, these emails should not be getting past dmarc. If they are knowing why is a big deal as many businesses are dependant on what Microsoft calls “direct send”. Things like scan to email or marketing platforms that send notifications to internal staff, etc
SemicolonMIA@reddit (OP)
I will have to double check in the am. I believe we have dmarc set to reject but SPF may be soft fail. A lot were caught and quarantined but not all.
SimpleSysadmin@reddit
That would be awesome, curious to get more info
statikuz@reddit
They are failing SPF and DMARC and still getting delivered.
Ongoing Campaign Abuses Microsoft 365’s Direct Send to Deliver Phishing Emails
unreasonablymundane@reddit
If you're not ready to turn off Direct Send, another option is to add a mail flow rule for 'Received-SPF' header contains 'Fail' or 'SoftFail' or 'Neutral' and sender's address domain portion belongs to any of these domains: {your accepted domains}, to send for moderation or to the quarantine. You can then add exceptions for ips or certain headers if you get any false positives.
SemicolonMIA@reddit (OP)
Yes. We are a small org with minimal impact. Just our scan to email was impacted due to using smtp
mountaindrewtech@reddit
Definitely audit! I ended up just remediating everything outdated and rejecting direct send without a connector.
Our org had some wacky stuff that was legitimate. First time really auditing everything.
analbumcover@reddit
We have definitely been seeing a big uptick for this in the past 2-3 weeks.
littleko@reddit
Good PSA. We got hit with this a few months back, the spoofed-internal look bypasses a lot of user suspicion which is why it works so well.
For anyone reading, also double-check your DMARC is at enforcement (p=quarantine or reject) because direct send abuse often pairs with external spoofing attempts. Disabling direct send is the right call if you're not actively using it (most orgs aren't).
CeC-P@reddit
I just looked into this. Would it be relevant to the waves of spam we're seeing if the server the mail comes from is like 10 states away?
SemicolonMIA@reddit (OP)
Is your dmarc set to reject? If so it pretty much has to be Direct Send. Biggest indicator was recipient = sender and authas = anonymous in the header of the emails
iama_bad_person@reddit
We have some third party services that use it to send as us, currently updating how they communicate with our servers to fix it but for now just keeping more of an eye on things.
SemicolonMIA@reddit (OP)
You can put a mail rule in place to block the emails but it racks up quite a few very fast because the spoofs that are dmarc related will also be caught in the block.
I put that in place before switching off direct send. It was something like
If recipient email = sender email and is external == block message.
matt5on@reddit
How to check if it passed by direct send or dmarc in exchange online.
SemicolonMIA@reddit (OP)
If DMARC is set up correctly, it would reject the message. You can also tell by looking at the headers on one of the emails. You should see the auth as being anonymous.