Direct Send Phishing Attacks Bypass MFA and Trick Employees
Phishing has reached new levels of sophistication, folks. By abusing Microsoft’s Direct Send feature alongside a web development tool known as Axios, hackers are bypassing traditional security measures and stealing sensitive company data.
The scary part? Both of these tools are totally legitimate. They’re meant to make business run smoothly, but when misused, they become almost invisible weapons for attackers.
In this blog, we’ll break down how a new attack combining both Direct Send and Axios works and how your business can defend against it.
What Is Direct Send and Axios
Direct Send is a built-in feature of Microsoft 365. It allows devices and applications to send emails inside your company without requiring a username, password, or license. Convenient for printers or internal apps, but dangerous if abused. Attackers can use it to send emails that look like they’re coming from inside your organization.
Axios is a legitimate tool used to move data between websites and apps – for example, to submit a form or fetch information. Safe when used correctly, but attackers can twist it to capture login details in real time.
The Hack
First, the attacker sends a seemingly harmless message that contains a PDF. Inside that PDF is a QR code that, when scanned, takes the victim to a fake Microsoft Outlook login page. When the victim enters their credentials, that information is then stolen, with the fake page capturing both usernames and passwords. Normally, multi-factor authentication (MFA) would stop this from going any further by asking for a constantly updated code, but with Axios, attackers can grab those codes in real time.
Think of it like someone dropping an official-looking letter into your mailbox. But this letter secretly copies your house key and forwards all your mail before you even notice. And this stuff is super effective. When paired with Axios abuse, these attacks have a 70% success rate.
What Makes This Dangerous
Unlike typical phishing emails, this campaign doesn’t just rely on distracted employees clicking on the wrong links. It abuses trusted Microsoft features and real-time interception tools. That makes it much harder to detect and stop – especially since MFA alone won’t protect you in this case.
How to stay safe
Direct Send attacks are difficult to detect and highly dangerous, but they can be mitigated. Here’s how:
- Lock down Direct Send: Ask your IT team to lock down the Direct Send function in Microsoft 365, or turn it off entirely if it’s not needed.
- Train your team: Regular awareness training will help your employees recognize suspicious files and avoid falling for scams. Some studies show that ongoing training can reduce the risk of phishing by up to 90%.
- Stay alert: Be cautious about unexpected or unknown attachments, especially PDFs. By staying cautious, you can lower
Moral of the Story
Phishing is evolving fast. It’s no longer just about careless clicks. By exploiting legitimate tools and trusted features, Direct Send attacks and Axios abuse can sidestep MFA and steal data right from under your nose.
Implementing phishing security is more important than ever, and the best defense is a well-trained and informed team that recognizes phishing attempts before they do harm.
How an MSP Keeps You Safe
Security threats are getting more complex by the day. And when even MFA can be bypassed, you need experts on your side who don’t just keep up, but actively stay ahead.
That’s where an MSP comes in. A great MSP constantly researches emerging threats and provides top-tier training to your employees. Because one of the best defenses is awareness, having an MSP that stays ahead of the curve helps keep your business as safe as possible.
At The 20 MSP, we stay plugged into the cyber threat landscape, keeping our clients informed, trained, and protected – all at a predictable flat-rate fee.
Want more tips like this?
Subscribe using the form on the right and get our latest cybersecurity insights delivered straight to your inbox.
About The 20 MSP
As a leading provider of managed IT services, The 20 MSP serves thousands of businesses nationwide, including single and multi-location organizations, delivering white-glove service, secure and streamlined IT infrastructure, and 24/7/365 support. We believe in building lasting relationships with clients founded on trust, communication, and the delivery of high-value services for a fair and predictable price. Our client’s success is our success, and we are committed to helping each and every organization we serve leverage technology to secure a competitive advantage and achieve new growth.
