• There are no suggestions because the search field is empty.
Blog

It’s Not a Flaw, It’s by Design: Understanding Microsoft’s Security Trade-Offs

Jeffery Lauria

Table of Contents

Need Help? Get in Touch!

If you rely on Microsoft 365 to keep your business communications safe, there's a potential loophole you need to know about. It's not a misconfiguration. It's not a missed update.

It's a built-in loophole in Microsoft's email infrastructure, and it could be exposing your business to internal-looking email threats that never even touch your security filters.

What's the Risk with Direct Send?

Microsoft 365's "Direct Send" feature was designed to make things easier. It allows printers, scanners, and other applications to send email internally, without needing user authentication.

The problem? That same convenience creates a dangerous gap in your defenses.
Emails sent through Direct Send never pass through your Secure Email Gateway (SEG) or perimeter security. Microsoft routes them directly via its smart host (e.g., yourtenant.mail.protection.outlook.com), treating them as if they originated from inside your organization—even when they didn't.

Your SEG didn't fail. It never had a chance.

This is not a misstep on your part; it's a loophole in Microsoft's architecture. And it's being actively exploited.

Why Attackers Love This Loophole

To exploit this, all a threat actor needs is:

  • Your company's domain name (publicly available)
  • A single valid email address from your organization
  • Microsoft's SMTP smart host address (which can be obtained from your DNS records)

With these three ingredients, they can send messages that look internal but are anything but—no credential theft, no malware, just clever misuse of Microsoft's infrastructure.

How to Close the Gap: 

1. Enable and Restrict Direct Send Usage

Microsoft now allows you to block unauthenticated Direct Send at the tenant level, enhancing your email security posture.

  • Use:

Direct Send

*  Set-OrganizationConfig -RejectDirectSend $true  *

      • This closes the loophole for unauthorized emails sent using Direct Send.
  • Restrict Usage:
    • Only allow essential systems or devices (e.g., legacy printers) to use Direct Send. All other email should go through authenticated SMTP or relay connectors to maintain visibility and traceability.
  • Important Consideration:
    • Disabling Direct Send may disrupt certain devices or services. Review and adjust those systems before enforcing the change.

2. Implement Robust Email Authentication

  • SPF – Identify and allow only your trusted email sources.
  • DKIM – Digitally sign your email to verify legitimacy.
  • DMARC – Enforce policies that reject or quarantine spoofed messages.
  • DANE – Use DNSSEC to secure SSL/TLS connections.

3. Implement Robust Email Authentication

  • Scrutinize headers for anomalies like unexpected geographies or failed SPF/DKIM results.
  • Flag messages labeled as internal that don't follow usual traffic patterns.

4. Invest in Staff Awareness


Even if a message looks like it came from a colleague, that doesn't mean it's safe. Include internal-looking spoof emails in your phishing simulations to sharpen team awareness.

This Isn't Your Fault, But It Is Your Responsibility to Fix

This issue lies squarely in Microsoft's design—and while they now offer a way to restrict Direct Send, it's still up to you to configure it.

Until Microsoft changes this behavior by default, the best protection is proactive configuration, modern authentication protocols, and user training.

 

How iCorps Can Help

At iCorps, we understand that even built-in design loopholes, like Microsoft's Direct Send, can have serious implications for your business. That's why we take a proactive, partnership-driven approach to IT security. Our team of experts will review your Microsoft 365 configurations, implement the right controls to close security gaps, and ensure that your mail flow remains both secure and compliant.

Whether you're a small business without internal IT or a mid-market company seeking strategic guidance, iCorps provides tailored solutions to meet your needs. Backed by decades of experience, human-centered support, and a deep commitment to your long-term success.

Let's make sure your business is protected from the inside out. Contact iCorps today to get started.

Get the Latest IT News

Stay a step ahead in the ever-evolving world of IT. From security tips to tech trends, our newsletter brings you fresh insights and updates—no fluff, just valuable content to keep you informed and empowered.

Related Insights

Microsoft Intune Solutions for Businesses

Securing Mobile Employees with Microsoft InTune

As more companies adopt a bring-your-own-device (BYOD) working environment, awareness surrounding...

Read More
Microsoft InTune Endpoint Security Mobile Managment

How to Secure Your Mobile Business Endpoints with Microsoft Intune

Microsoft Intune is one of the better-known components of Enterprise Mobility + Security. Intune...

Read More
Microsoft Azure Business Cloud Solutions

3 Ways Microsoft Azure Helps SMBs Secure Critical Business Data

When working in Azure, even the smallest businesses have access to enterprise-level security and...

Read More