{"id":14343,"date":"2025-06-27T03:18:06","date_gmt":"2025-06-27T03:18:06","guid":{"rendered":"https:\/\/newestek.com\/?p=14343"},"modified":"2025-06-27T03:18:06","modified_gmt":"2025-06-27T03:18:06","slug":"dont-trust-that-email-it-could-be-from-a-hacker-using-your-printer-to-scam-you","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14343","title":{"rendered":"Don\u2019t trust that email: It could be from a hacker using your printer to scam you"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Printers and scanners are increasingly becoming ways for cyber crooks to deliver phishing attacks, thanks to a flaw in the Microsoft 365 Direct Send feature.<\/p>\n

The Varonis forensics team has uncovered an exploit which allows internal devices such as printers to send emails without authentication. The vulnerability has been used to target more than 70 organizations, predominantly in the US, with threat actors spoofing internal users and delivering phishing emails without needing to compromise any accounts whatsoever.<\/p>\n

The campaign has been successful because emails sent from within Microsoft 365 (M365) undergo less scrutiny than standard inbound email.<\/p>\n

\u201cThis discovery underscores a classic case of functionality versus security,\u201d said Ensar Seker, CISO at SOCRadar. \u201cMicrosoft 365\u2019s Direct Send feature is designed for convenience, allowing devices like printers or scanners to send emails without authentication, but that very design opens a door for abuse when misconfigured or misunderstood.\u201d<\/p>\n

Spoofing made \u2018remarkably easy\u2019<\/h2>\n

M365 Direct Send is intended for internal use only, but it\u2019s easy for hackers to access because no authentication is required. Attackers<\/a> don\u2019t need credentials, tokens, or even access to the tenant; they just need a few publicly-available details and a talent for guessing.<\/p>\n

This is because Direct Send uses a smart host with a common format: tenantname.mail.protection.outlook.com<\/em>, and companies\u2019 internal email address formats can be trivial to figure out or easy to scrape from public sources or social media. Once an attacker has the domain and a valid email address, they are able to send emails that appear to come from inside the organization.<\/p>\n

In the campaign observed by Varonis\u2019 forensics experts, the attacker used PowerShell to send emails that were designed to resemble voicemail notifications which included a PDF attachment with a QR code that redirected users to a site designed to harvest M365 credentials.<\/p>\n

Varonis\u2019 researchers pointed out that the campaign works because no logins or credentials are required, the smart host accepts emails from any external source, the \u201cfrom\u201d address can be spoofed to any be internal user, and the only requirement is that the recipient is internal to the client organization.<\/p>\n

Further, because it is routed through Microsoft infrastructure and seems to be coming from within the organization, the email bypasses traditional security controls, including Microsoft\u2019s own filtering mechanisms which treat it as internal-to-internal, or third-party tools that flag suspicious messages based on authentication, routing patterns, or sender reputation.<\/p>\n

\u201cThe challenge is that many organizations either leave default settings unchanged or fail to restrict sender permissions, making spoofing from internal-looking sources remarkably easy,\u201d said Seker.<\/p>\n

David Shipley of Beauceron Security called this vulnerability a classic case of \u201cown gun, own foot\u201d and noted that it \u201cdoesn\u2019t exactly fit\u201d Microsoft\u2019s Secure Futures Initiative<\/a>, the company\u2019s campaign to continuously secure itself and its customers.<\/p>\n

\u201cThis kind of cleverness is the direct result of the email security cat and mouse game,\u201d said Shipley. As more organizations adopt security features like sender policy framework (SPF), domain-based message authentication, reporting, and conformance (DMARC) and DomainKeys identified mail (DKIM), and invest in e-mail filters, regular spoofing gets much harder.<\/p>\n

It\u2019s essentially low-hanging fruit for criminals, he added, and \u201canyone using [Direct Send] should revisit it yesterday now that this report is out.\u201d<\/p>\n

What to look for<\/h2>\n

To determine whether there\u2019s been abuse, Varonis researchers advise investigating message headers and behavioral signals. Message header indicators include external IPs sent to the smart host, or failures in SPF, DKIM, or DMARC for internal domains. Also, the \u201cX-MS-Exchange-CrossTenant-Id\u201d should match the organization\u2019s tenant ID.<\/p>\n

Behavioral indicators could include emails sent from users to themselves; unusual IP addresses; suspicious attachments or filenames; and PowerShell or other command-line user agents.<\/p>\n

Microsoft has said it is working to disable<\/a> Direct Send by default, and customers can enforce a static IP address in the SPF record to prevent send abuse, but it isn\u2019t a direct requirement.<\/p>\n

To be proactive, the Varonis researchers urge IT leaders to:<\/p>\n