Turn Off Direct Send in Microsoft Exchange to Protect Yourself From Phishing

Direct Send was introduced to accommodate legacy hardware—copiers, printers, fax servers—that lack modern authentication protocols. By allowing these devices to relay mail directly to Exchange Online, organizations avoided costly upgrades while maintaining essential communication functions. However, the very bypass of credential checks creates an exploitable gap: any compromised internal system can masquerade as a trusted sender, slipping past perimeter defenses that rely on authentication metadata.

The abuse of Direct Send has evolved with AI. Threat actors scrape publicly available staff profiles, feed the data into large language models, and generate highly personalized phishing content that mirrors the victim’s tone. Because the messages are injected from within the Exchange environment, they retain authentic headers and evade DNS‑based filters, Microsoft Defender, and other security layers. Nonprofits, often operating with limited IT resources, have seen a notable uptick in such campaigns, with attackers leveraging volume to increase the odds of a successful credential harvest.

Microsoft’s response—introducing a “Reject Direct Send” toggle in April 2025—gives administrators a straightforward mitigation path. By disabling the feature when legacy devices are no longer needed, organizations eliminate the internal entry point that attackers exploit. Best practices now recommend auditing device inventories, confirming the necessity of Direct Send, and applying the reject setting across all tenants. Coupled with user education on AI‑generated phishing, this approach strengthens the overall security posture and reduces the likelihood of undetected, high‑impact breaches.