I'm curious about the Direct Send feature in Exchange Online and whether it's as risky as some security blogs suggest. I understand the concepts behind it, but I've never been able to replicate the scenarios that highlight the vulnerabilities. From what I've gathered, for Direct Send to work, Port 25 must be open by the ISP or cloud provider, which is pretty rare. Also, I've heard that some third-party mailing applications need to use Direct Send for their operations, which raises some concerns. Can anyone clarify if this is more of a theoretical concern, or are there real-world implications? Thanks in advance!
1 Answer
You're worried about attacks coming from home ISPs, but actually, many larger scam operations have Port 25 open as well. The issue with Direct Send is that Exchange treats emails sent this way as 'internal.' Impersonation attacks are a real concern with this feature, and I've seen direct examples of it happening. The solution is straightforward: our organization has a rule in place that sends any mail passing the hub that didn’t go through our spam gateway (like Proofpoint) into that system. It’s easy to set up and stops the loophole effectively.
Thanks for confirming that you've seen actual attacks! I’ve been blocking Direct Send on some of our tenants, but I’m noticing larger organizations might be impacted. I’m curious, without something like Proofpoint and only using Exchange Online, what should the rules be? Would a mail flow rule that rejects Direct Send from any invalid IP address work?