If you are using the Direct Send feature, or if your tenant is old (which means this is enabled by default), your tenant is not secure.
WAIT WHAT???
Yes, hackers are now targeting tenants to send emails without authentication, to spoof internal email addresses and bypass security controls. This allows them to send emails that appear to be from within the organization, making phishing attempts more believable. Attackers are employing methods such as spoofing internal formats, using PowerShell scripts, and bypassing authentication checks like SPF, DKIM, and DMARC. They also create convincing lures with business themes and include malicious attachments, often PDFs with QR codes that lead to credential-harvesting pages.
So in April or so Microsoft made this announcement: Introducing more control over Direct Send in Exchange Online.
However, it is stated that there will be a report coming, but it isn’t ready yet… So what did I do? I wrote one.. You can download it from my github here.
This PowerShell script will give you a report that will provide:
Visibility: Track every anonymous SMTP send from your own domains.
Performance: Auto-slice up to 30 days of logs into 6-hour windows.
Live Feedback: Real-time progress bars, ETA, and per-window counts.
Self-Healing: Splits any failing window in half (down to 1h) and retries.
Clean Data: Filters on "Protocol":"SMTP"+"ClientIP", safely parses JSON.
Dual Export: CSV for Excel fans and a slick, sortable HTML report.
Quick Start
# Last 7 days in 6h windows
.\Get-DirectSendReport.ps1 -DaysBack 7
# Custom 3-day range, 12h windows
.\Get-DirectSendReport.ps1 `
-StartDate (Get-Date).AddDays(-3) `
-EndDate (Get-Date) `
-WindowHours 12
Under the Hood
function FetchWindow($s, $e) {
try {
return Search-UnifiedAuditLog -StartDate $s -EndDate $e `
-Operations Send -ResultSize 5000 -ErrorAction Stop
} catch {
if ((($e - $s).TotalHours) -le 1) { return @() }
$mid = [datetime](($s.Ticks + $e.Ticks) / 2)
return (FetchWindow $s $mid) + (FetchWindow $mid $e)
}
}
The output will be in CSV and HTML so you can easily see what is being sent through direct send. If there is nothing, my recommendation will be to turn it off.
This is done by connecting to the Exchange Online Module and running the following command
Set-OrganizationConfig -RejectDirectSend $true
