Author: Farzan Karimi (@jumpycastle)
License: MIT
This script provides a Python-based implementation of how Microsoft 365 Direct Send can be abused to craft emails that look internal but are sent without authentication.
-
What is Direct Send?
Direct Send allows devices or apps (e.g., printers, scanners, scripts) to send mail into a Microsoft 365 tenant via the smart host
<tenant>.mail.protection.outlook.comwithout logging in. -
Why is this risky?
Because no credentials are required and theFrom:address can be spoofed, an attackerβs message routed through Microsoft infrastructure may appear as internal-to-internal traffic, bypassing filters and third-party security.
This code is for authorized testing or lab use only. Do not aim it at live tenants. It won't end well.
- Build a MIME email with:
- Spoofed
From:andTo:headers - Subject, HTML body template, optional attachment
- Placeholders in the body (
{{target}},{{sender}},{{link}})
- Spoofed
- Send mail to an SMTP server (
{{smtp target})
Save as body.html:
<html><body>
<p>When you get a moment please call me back at 555-555-5555.</p>
</body></html> py directsend.py --To "{{target}}@email.com" --From "{{sender}}@email.com" --Subject "Urgent Message" --Body ./test.html --smtp {{company}}.mail.protection.outlook.com
--smtp localhost-t, --To β Recipient address (e.g., [email protected])
-f, --From β Spoofed sender address (e.g., [email protected])
-s, --Subject β Subject line
-b, --Body β Path to HTML body file (supports placeholders)
-a, --Attach β Optional file to attach
--smtp β SMTP server (use localhost for lab)- Best move β turn off Direct Send
- If you canβt: lock it down to the few /IP ranges that need it
- With Mimecast β use the Lockdown Connector
- Without β tighten DMARC to reject, enforce SPF hardfail, add anti-spoofing policies, and pin to known egress IPs