Over the past few weeks, we’ve had a steady stream of calls from clients asking the same question: “Why am I getting spam and phishing emails that look like they were sent from me, or from someone else inside my own company?” If you’ve seen this in your inbox too, you are definitely not alone — it’s happening across our entire client base and is being reported industry-wide.
Here’s what’s going on, in plain English.
What’s Actually Happening
Attackers have figured out how to abuse a built-in feature of Microsoft 365 to send email that looks like it came from inside your company — even when no one’s mailbox has actually been broken into, no password has been stolen, and no account has been compromised.
They’re using a quirk in how Microsoft 365 accepts certain kinds of internal email to slip right past the usual spam filters and the “this message is from outside your organization” warning banner. That’s why these emails feel so convincing. They don’t look like normal phishing. They look like a message from your boss, your accountant, or yourself.
What to Watch For
Be extra cautious this month. A few things to keep in mind:
- If an email feels off — even if it appears to come from a colleague, your boss, or an internal system — slow down before you click.
- Don’t click links or open attachments in unexpected messages, even ones that look internal.
- Never enter your password on a page you reached by clicking an email link. Go to the service directly in your browser instead.
- Don’t approve any sign-in prompt on your phone that you didn’t personally start.
- When in doubt, forward the message to our team and we’ll take a look.
What We’re Doing About It
On the back end, we’re reviewing each client tenant’s email settings, tightening spoofing and authentication protections, and enabling Microsoft’s newly released controls that specifically shut this abuse down. If we identify anything on your tenant that needs your attention, we’ll reach out directly.
This is fixable, and Microsoft has already released the tools to block it. The bad news is that until every Microsoft 365 tenant on the internet turns those tools on, the spam wave is going to continue for a while.
Why This Is Happening
For clients and IT staff who want the under-the-hood explanation, here’s the short version.
Microsoft 365 has a feature called Direct Send, accessible at tenant-name.mail.protection.outlook.com. It was designed to let unauthenticated devices inside an organization — multifunction printers, scanners, line-of-business apps, and the like — relay mail to internal recipients without having to log in with a mailbox account.
The problem is that Direct Send doesn’t require authentication at all. If an attacker knows a valid recipient address at your domain and the tenant’s Direct Send hostname (both of which are trivial to discover), they can drop a message addressed from: user@yourdomain.com to: user@yourdomain.com, and Microsoft’s own infrastructure will deliver it to the inbox. Because the message is arriving from Microsoft’s own servers and appears internal, it bypasses many secure email gateways, skips the “external sender” banner, and often sails past SPF/DKIM/DMARC enforcement that would otherwise catch a spoofed message.
Microsoft has now published a “Reject Direct Send” setting in Exchange Online (currently in public preview) that lets tenant admins turn the feature off entirely if they don’t need it — and for most small and mid-size businesses, they don’t. Combined with a hardened DMARC policy (p=reject), SPF set to -all, and MX records pointing directly at Exchange Online Protection, this closes the door on the current wave of abuse.
Need Help?
If you’re seeing this in your inbox, or if you’re an organization that isn’t currently a client but wants someone to audit your Microsoft 365 tenant and lock this down, reach out to our team. We’re actively helping clients through this across the board and we’re happy to take a look at your environment.
Further Reading
Subscribe to our Newsletter
Stay in the loop. Get notified when new posts drop or when critical events unfold straight to your inbox.
This is a very low volume newsletter you can unsubscribe from at any time.