Microsoft Direct Send abuse exposes the limits of trusted email

At a glance

What this is: This webinar explains how Microsoft Direct Send abuse lets attackers bypass secure email gateways by abusing trusted infrastructure and hiding payloads behind QR codes and CAPTCHAs.

Why it matters: It matters because email security, IAM, and NHI teams all rely on assumptions about trusted senders, credentialed access, and inspection points that Direct Send abuse can sidestep.

By the numbers:

• Attackers attempt access within an average of 17 minutes when AWS credentials are exposed publicly, and as quickly as 9 minutes in some cases.
• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.
• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.

👉 Read Abnormal AI's webinar on Microsoft Direct Send abuse and inbox evasion

Context

Microsoft Direct Send is an email delivery path that can make messages look internally trusted even when the content is malicious. In this case, the governance gap is not authentication failure in the classic sense, but inspection failure: organisations assume trusted infrastructure is inherently safer than externally delivered mail.

For IAM and security teams, the lesson is broader than email filtering. When an attacker can use a trusted service path to reach users, control points built around sender reputation, gateway checks, and credential theft detection may not be enough. That creates a governance problem across email security, identity trust, and user-facing risk controls.

Key questions

Q: How should security teams handle phishing that arrives through trusted email infrastructure?

A: Treat trusted infrastructure as a delivery path, not a guarantee of legitimacy. Security teams should inspect the full message path, apply post-delivery analysis where needed, and correlate sender trust with content risk, user interaction, and domain reputation. If the control model assumes trusted transport equals safe mail, attackers can bypass it without stealing credentials.

Q: Why do secure email gateways miss some Direct Send abuse campaigns?

A: Secure email gateways often focus on known-bad senders, suspicious links, and obvious payload markers. Direct Send abuse can bypass those assumptions by arriving through infrastructure that looks legitimate enough to lower scrutiny. When attackers add QR codes or CAPTCHAs, static detection becomes even less effective because the malicious action is hidden from simple text inspection.

Q: What breaks when attackers hide malicious payloads behind QR codes?

A: Static scanning breaks first, because the scanner may see an image or a benign wrapper rather than the real destination. Human review can also fail if the lure looks routine. Organisations need rendering-aware analysis, behavioural correlation, and user reporting paths that do not depend on the payload being readable in plain text.

Q: Who is accountable when trusted email infrastructure is abused for phishing?

A: Accountability is shared across email security, identity, and platform governance. The team that owns the trusted delivery path must prove that its controls do not create an inspection blind spot, while the identity function should validate whether trust signals are being overused. Frameworks such as NIST CSF help map those responsibilities clearly.

Background and context

How Direct Send abuse bypasses secure email gateways

Microsoft Direct Send is designed to allow sending mail through Microsoft infrastructure in ways that may appear legitimate to downstream controls. Attackers exploit that trust boundary by routing malicious messages through infrastructure that legacy secure email gateways often treat as lower risk. The result is a delivery path that does not rely on stolen credentials, so controls focused on account compromise may never trigger. Abnormal AI’s framing points to a structural inspection gap rather than a simple filtering miss.

Practical implication: security teams need to validate whether their email controls inspect trusted-path delivery with the same rigour as external mail.

Why QR codes and CAPTCHAs frustrate content-based detection

QR codes and CAPTCHA-like visual layers are used to conceal the true destination or payload from static content scanners. This is a classic evasion pattern in phishing and malware delivery because the visible message can look benign while the encoded action leads the user elsewhere. In practice, the attack shifts detection away from text-based indicators and toward behavioural or rendering-aware analysis, which legacy controls often do not perform consistently.

Practical implication: add message rendering and post-delivery analysis for visually encoded threats, not just keyword and URL inspection.

Behavioral AI versus trusted-path email abuse

Behavioral AI focuses on how a message behaves in context, not only on whether it matches a known bad signature or sender pattern. That matters when the adversary uses legitimate infrastructure and benign-looking wrappers to hide malicious intent. The key technical distinction is that the detection model must reason over anomalous delivery patterns, user interaction risk, and follow-on behaviour after receipt. In other words, the threat is not only the message content, but the path it takes and the outcomes it is designed to produce.

Practical implication: evaluate detection platforms on their ability to correlate delivery behaviour, payload concealment, and post-delivery user risk.

NHI Mgmt Group analysis

Trusted infrastructure is not a trust guarantee. Direct Send abuse shows that organisations often treat Microsoft-hosted delivery paths as implicitly safer than external mail. That assumption breaks when the attacker uses the trusted transport itself as the attack vehicle, because sender trust and content trust are no longer aligned. The implication is that email governance must separate infrastructure trust from message trust.

Inbox-level attacks now depend on inspection blind spots, not credential theft alone. The article makes clear that attackers can bypass secure email gateways without stealing credentials, which shifts the problem from account compromise to delivery-path abuse. That is a different failure mode than classic phishing. Practitioners should view email security as a control-plane problem, not just a user-awareness problem.

Visual obfuscation is becoming a governance control evasions layer. QR codes and CAPTCHAs are not merely payload wrappers. They are deliberate mechanisms to defeat static controls that still assume readable text and direct links. That means email governance must account for how threats are packaged, not just what they say.

Identity and email security now overlap at the trust boundary. Direct Send abuse sits between IAM assumptions about trusted senders and security assumptions about message inspection. That boundary is increasingly where attackers operate, especially when they can avoid stolen credentials and still reach users through enterprise-trusted paths. The practitioner takeaway is that inbox trust must be revalidated as part of identity governance, not left to email hygiene alone.

From our research:

• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey.
• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
• That governance gap becomes sharper when you compare email trust assumptions with agentic identity risk in OWASP NHI Top 10.

What this signals

Trusted-path abuse will force email teams to prove inspection parity. If a message can enter through a Microsoft-controlled path and still evade traditional controls, organisations need to treat sender provenance as one signal among many. The operational question is no longer whether a message came from a trusted infrastructure path, but whether that path receives the same detection depth as every other route.

Trust boundaries are becoming identity boundaries. As attack techniques increasingly exploit platform trust, IAM and email governance have to converge on the same question: which delivery paths are implicitly exempt from scrutiny? That is where hidden risk accumulates, especially when infrastructure-level trust is allowed to outrun content-level validation.

Behavioural detection needs a broader remit. With 70% of organisations already granting AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey, the broader pattern is clear: identity trust is becoming harder to reason about as delivery and execution paths get more dynamic.

For practitioners

• Validate trusted-path inspection coverage Test whether messages delivered through Microsoft Direct Send receive the same inspection depth as externally sourced email, including attachment, link, and rendering analysis. Focus on the trust boundary where gateway policies may silently downgrade scrutiny.
• Harden detection for visual payload hiding Add controls that analyse QR codes, CAPTCHA-style overlays, and image-based lures after rendering, not only before delivery. This reduces the chance that a malicious destination remains invisible to static scanners.
• Review reliance on sender trust signals Reduce dependence on sender reputation alone by correlating delivery path, domain similarity, and user interaction patterns. A trusted service path should not override other risk indicators when the content is suspicious.
• Expand inbox response playbooks Build response steps for trusted-infrastructure abuse that include message recall, user notification, and investigation of any clicked payloads. The priority is to contain the message path, not only the endpoint.

Key takeaways

• Direct Send abuse turns a trusted Microsoft delivery path into an inbox-level attack vector that bypasses some traditional email controls.
• QR codes and CAPTCHAs make the threat harder to see, which means static inspection alone is no longer enough.
• Security teams should verify trusted-path inspection parity, because infrastructure trust and message trust are not the same thing.

Key terms

• Trusted delivery path: A trusted delivery path is a message route that downstream controls treat as lower risk because it originates from an approved platform or service. In practice, that trust can be exploited when attackers use the path itself to deliver malicious content that bypasses normal inspection.
• Direct Send: Direct Send is a Microsoft email delivery method that can allow messages to be routed in a way that looks internal or trusted to some controls. Security teams need to understand that trusted routing does not automatically mean trusted content, especially when adversaries are abusing the path.
• Visual payload concealment: Visual payload concealment hides malicious intent inside images, QR codes, or layered visual content that is harder for static scanners to interpret. It shifts detection away from text matching and toward rendering-aware, behavioural, or post-delivery analysis.
• Inspection parity: Inspection parity is the principle that all delivery paths should receive equivalent security scrutiny unless a justified exception exists. When trusted infrastructure receives weaker inspection than external mail, attackers can exploit the blind spot without needing to compromise accounts.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Abnormal AI: Microsoft 365 Direct Send Abuse: When Trusted Infrastructure Turns Malicious. Read the original.