Lately, we've seen a troubling rise in spoofed emails that look exactly like they're coming from the actual users (without the proper SPF, DMARC, or DKIM marking them as valid). This feels like it's becoming a bigger issue week by week!
We have a third-party spam filter (Spam Hero), but the problem is that these spoofed emails go straight to users' mailboxes as if they're internal emails, bypassing the spam filter entirely. I opened a ticket with Microsoft support, but honestly, their first-level assistance hasn't been very helpful. I've even tried turning off direct send, but that led to other problems.
Is there a way to ensure that all emails must route through our spam filter instead of using direct send? Can we re-enable direct send but configure it to route through Spam Hero no matter what?
6 Answers
This isn’t really a spoofing problem. If you’ve got a transport rule that lets all emails bypass your spam filter, you’re going to end up with tons of spam! Using direct send doesn’t create these issues as long as you don't bypass the spam filters for all incoming email.
Honestly, I'm finding the documentation on Direct Send to be really lacking. I can't wrap my head around how it actually differs from regular email flow between servers. If it's still SPF authenticated, shouldn't it just be considered standard email?
For what it's worth, Microsoft recently introduced more control over direct send in Exchange Online. You might want to check it out—it could provide some options you haven't considered.
You ought to set up a rule to redirect all emails that didn't come through your email gateway back through it. There's a detailed article that explains how attackers can bypass third-party mail filters with Office 365 that could help you understand better.
I tried this too, but it didn’t work for some reason. I think something in Barracuda Cloud treated it as mail for an unaccepted domain. We had to turn off direct send.
This totally worked for us! We implemented it, and everything is running smoothly now.
I was in a similar boat this week with emails pretending to be from users. It's frustrating! We switched from AppRiver to Microsoft Defender for better security because our setup was wide open and letting these spoofed emails slip through. Just be cautious about leaving any unused email aliases unprotected, as they can be exploited.
Wow, that's concerning! It's nuts how this issue is spreading, and I can't believe Microsoft hasn't addressed it more robustly.
If disabling direct send caused you issues, it sounds like there might be something wrong with your DMARC or your third-party filter setup. You should really focus on fixing those underlying issues rather than just switching off a feature.
We haven’t set any transport rules that allow for this. The problem is that Microsoft’s direct send completely ignores our MX record for the spam filter and sends everything directly to the mailbox, which is why I'm convinced it's spoofing!