Your current Papercut SMTP relay setup with a dedicated M365 connector and your public IP in SPF is not exposed to the “Direct Send” abuse described in the Proofpoint alert, as that attack exploits compromised M365 accounts sending internal email via Microsoft’s own infrastructure without using your relay. However, you could still be impacted if an internal account is compromised, so ensure MFA is enforced (including for service accounts), apply Conditional Access restrictions, and monitor for unusual internal mail activity.

The biggest question here is where is your MX pointed at? Customers using “complex” routing, such as those leveraging Proofpoint in front of Exchange Online, are the ones in risk of this direct send abuse. If the MX points to ExO, you are already protected.

Check out the latest blog post for additional details and guidance: https://techcommunity.microsoft.com/blog/exchange/direct-send-vs-sending-directly-to-an-exchange-online-tenant/4439865

 

Hey Amit

 

ta for the reply. i thought SMTP Auth that used some sort of Auth in it wouldnt be considered Direct Send. Has email address and password as in needed to send an email, am i worng in this?

 

@Vasil the mx records go through Mimecast, incoming and outgoing. I didnt think of this so i suppose i thought with what Proofpoint were saying, i thought it was still an issue. i didnt actually cop Proofpoint mentioning if you had their system it wouldnt be an issue. Now i might have jsut missed it but they might have said it. i will look at it again and what you sent.

 

Fact we use Mimecast ill have to check but i expect the rules put in place will already restrict direct send. we have to check

 

Ta for the replies. much appreciated

@Vasil if i turn off Direct Send in 365 is there a way i can check if 365 is receiving emails using direct send. There is no inbound connector rule setup in 365 at all. All emails sent to the company are sent through mx record pointing to Mimecast alright but this direct send bypasses the mx record that is what im getting from this all.

 

Would like to know if id be stopping legit emails coming in if i can run some sort of report on it to check before i just turned off direct send!

You’re correct , SMTP Auth (where the device or app signs in with a username and password) is not considered “Direct Send.” Direct Send in Microsoft’s terms is when the sender connects to Exchange Online without authentication and sends email only to recipients in the same tenant. I recent did for a client.

I disabled it. Using Set-OrganizationConfig -RejectDirectSend $true

Refer: https://www.varonis.com/blog/direct-send-exploit

SMTP Auth perfect, thought i was losing it there.

 

So MX records dont come into this then at all. So min id need some sort of connector rule in 365 to well only accept emails coming from mimecast systems.

Or turn off Direct Sned, this does seem like the easier option

 

Me tuning off Direct Send though, this from my understanding wouldn't cause an issue for Papercut and the SMTP relay setup?

its as youve said anyone can really just use that setting to try and relay emails/direct send through to an internal user really using as Microsoft call it the endpoint. be the default MX records i suppose for 365 if not using the likes of a mimecast for example?

 

Sorry just really trying to make sure i understand correctly

The blog post I linked to above shows how you can check whether your tenant receives messages via Direct send, and what methods you can use to restrict that if needed. The recommended solution would be to drop any such messages, unless they are coming from a connector configured for the third-party service (i.e. Mimecast in you case). Without such connector, you are exposed.

The article above also discusses some alternatives. Make sure to also read the comments, where many common questions are addressed.

It won't impact anything else. If you still not sure, better open case with Microsoft, that's what i did in my case.

ive seen that turning off direct send can block OOO from 365 and notifications from 365 also. you have that issue at all guys?

Great 😃