Are you getting phishing emails from yourself?

7 minutes ago
2 min read

Have you ever received an email from yourself or another co-worker that seemed a bit... phishy?

Over the past 2 weeks we've seen a huge spike in direct-send abuse from clients using Microsoft 365. It's a phishing technique where bad guys use a legitimate Microsoft 365 feature to send emails that appear 100% like they're coming from inside your company. It's particularly bad because they bypass all email spam filters and go right into inboxes.

You may be wondering, why the heck does Microsoft have this turned on by default?

And that's a valid question. It's because there are a lot of multifunction printers, copiers and custom built apps that want to send emails to internal accounts without the need for a username or password. What we've seen these past few weeks are bad actors sending emails with prompts to review a "Docusign" document or other documents that require a code to view.

These emails are an example of a device code phishing attack. If you or someone at your company enters the code from the email, the threat actor will gain access to your account without needing a username, password or MFA code. 😬

The Takeaway

If you don't need direct-send in your environment then here's how to secure your Microsoft 365 account. I recommend you do this as soon as possible.

Disable Microsoft Direct-Send. Use the Exchange Online PowerShell v3 module and set RejectDirectSend to true
Disable Device Code Flows. They're designed for devices without local input such as smart TV's, streaming sticks, game consoles, digital signage players and IoT devices. But threat actors abuse them to gain unauthorized access to accounts, bypassing username, password, and MFA entirely. I strongly recommend disabling it if you don't need it on. Here's how.
Educate Your Users. Remind users to be suspicious of emails appearing to come from their own address. Legitimate services will not ask for authentication codes delivered this way.