IT Support, Security & Managed IT Services Blog - iCorps

It’s Not a Flaw, It’s by Design: Understanding Microsoft’s Security Trade-Offs

Written by Jeffery Lauria | 8/26/25 2:00 PM

If you rely on Microsoft 365 to keep your business communications safe, there's a potential loophole you need to know about. It's not a misconfiguration. It's not a missed update.

It's a built-in loophole in Microsoft's email infrastructure, and it could be exposing your business to internal-looking email threats that never even touch your security filters.

What's the Risk with Direct Send?

Microsoft 365's "Direct Send" feature was designed to make things easier. It allows printers, scanners, and other applications to send email internally, without needing user authentication.

The problem? That same convenience creates a dangerous gap in your defenses.
Emails sent through Direct Send never pass through your Secure Email Gateway (SEG) or perimeter security. Microsoft routes them directly via its smart host (e.g., yourtenant.mail.protection.outlook.com), treating them as if they originated from inside your organization—even when they didn't.

Your SEG didn't fail. It never had a chance.

This is not a misstep on your part; it's a loophole in Microsoft's architecture. And it's being actively exploited.

Why Attackers Love This Loophole

To exploit this, all a threat actor needs is:

  • Your company's domain name (publicly available)
  • A single valid email address from your organization
  • Microsoft's SMTP smart host address (which can be obtained from your DNS records)

With these three ingredients, they can send messages that look internal but are anything but—no credential theft, no malware, just clever misuse of Microsoft's infrastructure.

How to Close the Gap: 

1. Enable and Restrict Direct Send Usage

Microsoft now allows you to block unauthenticated Direct Send at the tenant level, enhancing your email security posture.

  • Use:

*  Set-OrganizationConfig -RejectDirectSend $true  *

      • This closes the loophole for unauthorized emails sent using Direct Send.
  • Restrict Usage:
    • Only allow essential systems or devices (e.g., legacy printers) to use Direct Send. All other email should go through authenticated SMTP or relay connectors to maintain visibility and traceability.
  • Important Consideration:
    • Disabling Direct Send may disrupt certain devices or services. Review and adjust those systems before enforcing the change.

2. Implement Robust Email Authentication

  • SPF – Identify and allow only your trusted email sources.
  • DKIM – Digitally sign your email to verify legitimacy.
  • DMARC – Enforce policies that reject or quarantine spoofed messages.
  • DANE – Use DNSSEC to secure SSL/TLS connections.

3. Implement Robust Email Authentication

  • Scrutinize headers for anomalies like unexpected geographies or failed SPF/DKIM results.
  • Flag messages labeled as internal that don't follow usual traffic patterns.

4. Invest in Staff Awareness


Even if a message looks like it came from a colleague, that doesn't mean it's safe. Include internal-looking spoof emails in your phishing simulations to sharpen team awareness.

This Isn't Your Fault, But It Is Your Responsibility to Fix

This issue lies squarely in Microsoft's design—and while they now offer a way to restrict Direct Send, it's still up to you to configure it.

Until Microsoft changes this behavior by default, the best protection is proactive configuration, modern authentication protocols, and user training.

 

How iCorps Can Help

At iCorps, we understand that even built-in design loopholes, like Microsoft's Direct Send, can have serious implications for your business. That's why we take a proactive, partnership-driven approach to IT security. Our team of experts will review your Microsoft 365 configurations, implement the right controls to close security gaps, and ensure that your mail flow remains both secure and compliant.

Whether you're a small business without internal IT or a mid-market company seeking strategic guidance, iCorps provides tailored solutions to meet your needs. Backed by decades of experience, human-centered support, and a deep commitment to your long-term success.

Let's make sure your business is protected from the inside out. Contact iCorps today to get started.
View full post