Executive Summary
A sophisticated new phishing campaign exploiting Microsoft 365’s Direct Send feature has successfully targeted over 70 organisations since May 2025, with attackers using this built-in Microsoft function to bypass traditional email security measures. This represents a critical threat to UK SMEs relying on Microsoft 365 for business communications.
The Threat: What UK SMEs Need to Know
Cybercriminals are exploiting Microsoft 365’s Direct Send function to send highly targeted, extremely convincing phishing emails that are managing to bypass current Cybersecurity protocols. This campaign allows attackers to impersonate internal employees without ever compromising a single account.
How the Attack Works
Direct Send Exploitation: Attackers abuse Microsoft 365’s Direct Send feature – originally designed to allow devices like printers to send emails without authentication. By exploiting this legitimate function, Cybercriminals can:
* Spoof internal users without needing login credentials
* Bypass email security filters that typically catch external phishing attempts
* Appear as trusted internal communications to unsuspecting staff
* Harvest credentials through convincing fake Microsoft login pages
The Scale and Scope
The campaign started in May 2025, with over 95% of the targeted companies based in the United States, but security experts warn this technique will rapidly spread to target UK organisations. Over 90% of identified targets operate within Financial Services, Construction, Engineering, Manufacturing, and Healthcare – sectors heavily represented in the UK SME market.
Immediate Risk to UK SMEs
Why SMEs Are Particularly Vulnerable
1. Limited Security Resources: Unlike large enterprises, SMEs often lack dedicated Cybersecurity teams to identify sophisticated internal spoofing attempts
2. Microsoft 365 Dependency: Most UK SMEs rely heavily on Microsoft 365, making this attack vector particularly effective
3. Trust-Based Security: SMEs typically trust internal communications more readily, making employee education critical
Attack Indicators for UK Businesses
Warning Signs to Watch For:
* Unexpected emails from colleagues requesting urgent credential verification
* Internal communications directing to external Microsoft login pages
* Emails with unusual urgency requesting immediate action on security matters
* Messages from IT staff you don’t recognise asking for password resets
Immediate Actions for UK SMEs
Critical Security Measures (Implement Today)
1. Disable Direct Send Feature
* Access Exchange Admin Center
* Navigate to mail flow settings
* Enable “Reject Direct Send” immediately
2. Strengthen Email Authentication
* Implement strict DMARC policy with p=reject setting
* Enforce “SPF hardfail” within Exchange settings
* Flag unauthenticated internal emails for review or quarantine
3. Employee Education Protocol
* Brief all staff on internal email spoofing risks
* Establish verification procedures for credential requests
* Create clear escalation paths for suspicious internal communications
Advanced Protection Strategies
For SMEs with IT Resources:
* Deploy advanced email security solutions beyond Microsoft’s native protection
* Implement zero-trust email verification policies
* Configure enhanced logging for all internal email communications
* Regular security awareness training focusing on internal threat scenarios
For SMEs Using Managed IT Services:
* Immediately contact your IT provider to assess Direct Send configuration
* Request emergency security review of current email authentication settings
* Ensure your managed service provider monitors for this specific attack vector
The Business Impact
Financial Risk Assessment
* Average phishing attack cost: £3,230 per incident for UK SMEs
* Credential compromise: Can lead to complete system access and data theft
* Regulatory implications: GDPR fines for data breaches starting at 4% of annual turnover
* Business disruption: Complete operational shutdown while addressing breaches
Reputation and Client Trust
Internal email compromise can severely damage client confidence, as customers lose trust in businesses that cannot protect basic communications.
Long-Term Security Strategy
Building Resilience Against Evolving Threats
Proactive Measures:
* Regular security audits of Microsoft 365 configurations
* Continuous monitoring of new Microsoft feature releases for security implications
* Investment in cybersecurity insurance covering social engineering attacks
* Development of incident response procedures specific to internal spoofing
Compliance Considerations: UK SMEs must consider how this vulnerability affects compliance with Cyber Essentials, ISO 27001, and sector-specific regulations. The ability for attackers to bypass email security using legitimate Microsoft features may require additional compensating controls.
Industry-Specific Implications
High-Risk Sectors in the UK
* Financial Services: Enhanced due diligence required given regulatory oversight
* Healthcare: Patient data protection concerns under GDPR and Data Protection Act
*Construction/Engineering: Project data and client information vulnerability
* Manufacturing: Supply chain security implications
Conclusion and Next Steps
This Microsoft 365 Direct Send exploitation represents a paradigm shift in phishing attacks – moving from external threats to internal spoofing using legitimate platform features. UK SMEs cannot rely solely on traditional email security measures.
Immediate Actions Required:
1. Disable Direct Send feature today
2. Implement enhanced email authentication
3. Brief all staff on internal spoofing risks
4. Review and update incident response procedures
Remember: This attack succeeds because it exploits trust in internal communications. The best technical defences must be combined with employee awareness and verification procedures.
