Introduction
Over the years I've witnessed countless examples of legitimate operational features being weaponized by threat actors. The latest trend reported by Cisco Talos—the abuse of Microsoft 365 Exchange Online's Direct Send feature—is a textbook case of this pattern. What makes this particularly concerning isn't just the technical exploitation itself, but the investigative complexity it creates for security operations teams.
Cisco Talos recently published research detailing increased malicious activity leveraging Direct Send for phishing and business email compromise campaigns. Multiple security vendors including Varonis, Abnormal Security, Ironscales, Proofpoint, Barracuda, and Mimecast have independently confirmed similar findings. We've observed the same pattern across Command Zero's customer base, and what we're seeing validates a critical challenge: the investigation bottleneck isn't about detecting these attacks—it's about rapidly understanding their scope and impact across complex enterprise environments.
The Direct Send Problem: More Than Just Email
For those unfamiliar with the technical details, Direct Send is a Microsoft 365 feature designed to solve a legitimate operational challenge. Legacy devices like multifunction printers, scanners, and older line-of-business applications can't authenticate using modern standards, so Direct Send allows them to transmit messages by bypassing rigorous authentication checks. It's operationally convenient, which is precisely why it exists.
The fundamental vulnerability lies in Direct Send's exemption from standard email domain sender verification. Three critical authentication mechanisms normally protect email recipients: DomainKeys Identified Mail (DKIM) provides cryptographic signature verification, Sender Policy Framework (SPF) authorizes sending IP ranges, and Domain-based Message Authentication, Reporting and Conformance (DMARC) defines handling policies for noncompliant mail. Direct Send prevents this inspection layer, allowing spoofed messages to reach recipients unchallenged and appear to originate from trusted internal sources.
Adversaries have recognized this opportunity and are exploiting it systematically. They're emulating device or application traffic to send unauthenticated messages that bypass content filters and domain verification protocols. Recent campaigns have embedded QR codes within PDFs, crafted empty-body messages with obfuscated attachments, and successfully directed victims to credential harvesting pages—all while appearing to come from legitimate internal systems.
The Investigation Challenge: Context Switching at Scale
The technical exploitation is concerning, but what keeps me up at night is the investigative burden this places on security operations teams. Consider the analyst workflow when a Direct Send abuse alert fires:
First, they need to examine the email itself in Office 365—was it actually delivered? Who sent it? Who received it? This is where things get immediately confusing. The message appears to have been sent from the user to themselves. The analyst double-checks the headers, validates the sender address—it all looks legitimate. DKIM passed. SPF passed. The email came from an internal account and went to that same internal account.
The natural investigative path at this point is to assume account compromise. After all, why else would a user be sending themselves suspicious emails with authentication passing? The analyst pivots to identity providers like Entra ID or Okta to investigate the compromise theory—has this account exhibited risky sign-in behavior? Are there failed authentication attempts? Geographic anomalies? New device enrollments? They're building a timeline of potential breach activity.
But then the questions start not adding up. Why would an attacker compromise an account just to phish that same account? That makes no operational sense from a threat actor perspective. The analyst circles back to EDR investigation—did this user click the malicious link in the email they supposedly sent themselves? Are there indicators of compromise on their endpoint? The investigation path branches in multiple directions, each requiring context switching between different consoles while trying to maintain the thread of logic.
This is the constant context switching problem that affects all our customers regardless of their size or industry, but Direct Send abuse adds a layer of investigative confusion that compounds the challenge. During a recent customer engagement, we spent a great deal of time reviewing the verdicts from several seemingly related cases investigating what initially appeared to be a compromised account sending phishing emails. Using the platform we reviewed Office 365 logs, investigated authentication patterns in Entra ID, examined endpoint activity in their EDR, and were building a case for incident escalation—only to eventually discover it was Direct Send abuse, not account compromise at all.
Why Current Investigation Approaches Fall Short
Microsoft has responded by introducing a Public Preview of the RejectDirectSend control and announcing future enhancements including Direct Send-specific usage reports and a default-off configuration for new tenants. These are positive steps that address the technical vulnerability at the platform level.
However, the challenge for security operations teams isn't just about having the right controls in place—it's about effectively investigating incidents when those controls fail or when organizations can't immediately disable Direct Send due to legitimate business dependencies. The Talos research outlines solid defensive measures: disabling or restricting Direct Send where feasible, inventorying current reliance, migrating devices to authenticated SMTP, and enabling stricter monitoring. But implementing these recommendations requires investigative work to understand current state, validate legitimate use cases, and identify anomalous activity.
Traditional SIEM and SOAR platforms struggle with these investigations because they assume the analyst knows exactly what questions to ask and how to correlate data across systems. They also assume that newly introduced data will be present or at least ingested into the SIEM. A junior analyst facing their first Direct Send abuse case may not understand the nuances of SMTP relay configurations, SPF record analysis, or the relationship between Exchange connectors and internal device inventories. Even experienced analysts face the burden of manually constructing complex queries across multiple data sources while maintaining the investigative thread.
The reality is that most organizations lack the specialized expertise to rapidly investigate email-based attacks that span identity systems, email platforms, endpoint security tools, and network infrastructure. When Steve is the only person who understands the organization's email routing architecture, what happens when Steve is unavailable during an active incident?
Transforming Direct Send Investigations with Expert Questions on Command Zero
This is where Command Zero's recently announced Custom Questions feature directly addresses the Direct Send investigation challenge. Custom Questions enables security teams to codify expert investigative knowledge while unlocking support for unlimited custom data sources, creating repeatable investigation workflows that empower analysts at all levels.
Let me walk through how this transforms the Direct Send abuse investigation in practice.
When an alert fires for suspicious internal email activity, analysts can leverage Command Zero's expert question sets that automatically correlate data across Office 365, identity providers, EDR systems, and network infrastructure. Instead of manually context-switching between consoles, the platform asks the right questions in sequence based on decades of incident response knowledge encoded into the investigation workflow.
For example, the investigation might begin with fundamental questions: What was the source IP of this message? Is this IP associated with a known internal device? What other messages has this source sent recently? These baseline questions establish context that would normally require navigating Exchange Online's audit logs and cross-referencing with asset management databases.
The investigation then automatically pivots to identity context: Who are the recipients of this message? What access privileges do they have? Have any of these users exhibited risky sign-in behavior recently? What MFA methods are configured for these accounts? This correlation between email activity and identity posture happens seamlessly across Entra ID, Okta, or other identity providers without requiring the analyst to know the specific API calls or query syntax for each system.
If the investigation reveals user interaction with the malicious content, Command Zero's facet-based investigation framework automatically expands to endpoint analysis: Did any recipient devices show suspicious process execution? Are there indicators of credential harvesting? Has any unusual network activity been observed from these endpoints? The platform connects CrowdStrike, Microsoft Defender, or other EDR telemetry directly into the investigation timeline without manual correlation.
Real-World Impact: Get to Answers in Minutes, not Hours
The transformation in investigation speed is measurable. We recently worked with a customer investigating potential Direct Send abuse as part of a broader email security review. Using their traditional approach—manually checking Office 365 logs, pivoting to Entra ID, examining SPF records, and validating connector configurations—the investigation took approximately 90 minutes per suspicious message.
Using Command Zero's Custom Questions tailored specifically for Direct Send investigation, we reduced the same investigation to under 5 minutes. The analyst entered the message ID, executed a pre-built facet that incorporated expert questions about message routing, sender validation, recipient context, and historical patterns, and received a comprehensive timeline with automated verdict and impact assessment.
More importantly, this investigation was conducted by a tier-2 analyst without specialized Exchange Online expertise. The expert questions encoded the knowledge of how to validate Direct Send legitimacy, identify anomalous patterns, and correlate across systems—knowledge that would typically require years of experience to develop.
Looking Forward: Continuous Evolution of Threat Landscapes
Microsoft's introduction of the RejectDirectSend control and the security community's collective focus on this attack vector will likely drive adversaries to adapt their techniques. They always do. What won't change is the fundamental investigation challenge: rapidly understanding what happened, determining scope and impact, and making confident response decisions across complex enterprise environments.
As we continue to refine Command Zero's Custom Questions capability and expand our integration ecosystem, we're particularly focused on enabling organizations to build their own institutional knowledge. The Direct Send questions we've developed based on the Talos research and our customer observations become part of a shared knowledge base that the entire community benefits from through our GitHub repository.
For organizations currently grappling with Direct Send investigations—or any email-based attack that requires correlation across identity, messaging, and security systems—the strategic approach acknowledges that investigation complexity is the real bottleneck. The faster you can empower your entire team with expert-level investigative capabilities, the more effectively you can respond to evolving threats while building the institutional knowledge that makes your organization more resilient over time.
If you're interested in seeing how Command Zero's Custom Questions can transform your Direct Send investigations or other complex email security scenarios, I encourage you to book a demo with our team. We're happy to walk through specific investigation workflows tailored to your environment and show how encoded expert knowledge can turn investigation bottlenecks into organizational strengths.
