Printers and scanners are increasingly becoming ways for cyber crooks to deliver phishing attacks, thanks to a flaw in the Microsoft 365 Direct Send feature.
The Varonis forensics team has uncovered an exploit which allows internal devices such as printers to send emails without authentication. The vulnerability has been used to target more than 70 organizations, predominantly in the US, with threat actors spoofing internal users and delivering phishing emails without needing to compromise any accounts whatsoever.
The campaign has been successful because emails sent from within Microsoft 365 (M365) undergo less scrutiny than standard inbound email.
“This discovery underscores a classic case of functionality versus security,” said Ensar Seker, CISO at SOCRadar. “Microsoft 365’s Direct Send feature is designed for convenience, allowing devices like printers or scanners to send emails without authentication, but that very design opens a door for abuse when misconfigured or misunderstood.”
Spoofing made ‘remarkably easy’
M365 Direct Send is intended for internal use only, but it’s easy for hackers to access because no authentication is required. Attackers don’t need credentials, tokens, or even access to the tenant; they just need a few publicly-available details and a talent for guessing.
This is because Direct Send uses a smart host with a common format: tenantname.mail.protection.outlook.com, and companies’ internal email address formats can be trivial to figure out or easy to scrape from public sources or social media. Once an attacker has the domain and a valid email address, they are able to send emails that appear to come from inside the organization.
In the campaign observed by Varonis’ forensics experts, the attacker used PowerShell to send emails that were designed to resemble voicemail notifications which included a PDF attachment with a QR code that redirected users to a site designed to harvest M365 credentials.
Varonis’ researchers pointed out that the campaign works because no logins or credentials are required, the smart host accepts emails from any external source, the “from” address can be spoofed to any be internal user, and the only requirement is that the recipient is internal to the client organization.
Further, because it is routed through Microsoft infrastructure and seems to be coming from within the organization, the email bypasses traditional security controls, including Microsoft’s own filtering mechanisms which treat it as internal-to-internal, or third-party tools that flag suspicious messages based on authentication, routing patterns, or sender reputation.
“The challenge is that many organizations either leave default settings unchanged or fail to restrict sender permissions, making spoofing from internal-looking sources remarkably easy,” said Seker.
David Shipley of Beauceron Security called this vulnerability a classic case of “own gun, own foot” and noted that it “doesn’t exactly fit” Microsoft’s Secure Futures Initiative, the company’s campaign to continuously secure itself and its customers.
“This kind of cleverness is the direct result of the email security cat and mouse game,” said Shipley. As more organizations adopt security features like sender policy framework (SPF), domain-based message authentication, reporting, and conformance (DMARC) and DomainKeys identified mail (DKIM), and invest in e-mail filters, regular spoofing gets much harder.
It’s essentially low-hanging fruit for criminals, he added, and “anyone using [Direct Send] should revisit it yesterday now that this report is out.”
What to look for
To determine whether there’s been abuse, Varonis researchers advise investigating message headers and behavioral signals. Message header indicators include external IPs sent to the smart host, or failures in SPF, DKIM, or DMARC for internal domains. Also, the “X-MS-Exchange-CrossTenant-Id” should match the organization’s tenant ID.
Behavioral indicators could include emails sent from users to themselves; unusual IP addresses; suspicious attachments or filenames; and PowerShell or other command-line user agents.
Microsoft has said it is working to disable Direct Send by default, and customers can enforce a static IP address in the SPF record to prevent send abuse, but it isn’t a direct requirement.
To be proactive, the Varonis researchers urge IT leaders to:
Implement strict DMARC and anti-spoofing policies.
Flag unauthenticated internal emails for review.
Enforce “SPF hardfail” in Exchange Online Protection (EOP).
Enable “Reject Direct Send” in the Exchange Admin Center.
Educate users on the risks associated with Quishing (QR code) attacks.
Treat network-connected devices as ‘fully-fledged endpoints’
Seker noted that configuring Direct Send securely requires narrowing down IP ranges allowed to use it, implementing strict SMTP relay restrictions, and monitoring for anomalies like devices sending to distribution lists or external domains. It’s also critical to pair these techniques with strong SPF, DKIM, and DMARC enforcement, which is something many enterprises overlook.
Spam and phishing campaigns from scanners and printers are becoming more common because “they blend in,” Seker said. “Employees are used to seeing scanned document notifications and rarely question their authenticity.” To combat this, organizations should treat network-connected devices as “fully-fledged endpoints,” complete with segmentation, logging, and behavioral baselines to detect misuse.
Ultimately, it comes down to a visibility problem, said Seker.
“If you don’t know what your devices are capable of, or what they’re allowed to do, you can’t defend against it,” he said. “The Direct Send abuse is just another reminder that attackers don’t need zero-days when misconfigurations are everywhere.”
Still, Roger Grimes, data-driven defense evangelist at KnowBe4, pointed out that, while these types of campaigns exploiting devices are becoming more common, they’re not rampant.
“We’ve been worrying about printers, copiers, scanners, and now other IoT devices being used by hackers to do bad things for decades,” he said. “And what history has shown is that, although it can be done in certain scenarios, it never becomes super popular.”
This is mostly because tactics already in use by hackers and scammers are working quite well. “There’s no need to do something different or harder to pull off when the current methods are making scammers rich,” he said.
No Responses