António Soeiro

Even though Microsoft provided a PowerShell command in April 2025 to disable the SMTP DirectSend feature in Exchange Online, we are still seeing attackers successfully reach the inbox for organizations that do not have their DMARC DNS Record set to Reject or Quarantine. According to public DNS, 30% of the Fortune 500 are vulnerable. Small to Medium orgs are even more likely to be exposed. It is recommended to perform threat hunting to identify these emails. Here is KQL we used to successfully detect DirectSend Phishing in Microsoft Defender XDR or Microsoft Sentinel (https://t.co/YDnPaiAZMr) EmailEvents |where Timestamp > ago(30d) | where EmailDirection == “Inbound” | extend LeftPartSender = substring(SenderFromAddress, 0, indexof(SenderFromAddress, “@”)) | extend LeftPartRecipient = substring(RecipientEmailAddress, 0, indexof(RecipientEmailAddress, “@”)) | where LeftPartSender == LeftPartRecipient | where isempty(Connectors) // not coming in on a connector | where DeliveryLocation == “Inbox/folder” | where parse_json(AuthenticationDetails) contains “fail” | project Timestamp, RecipientEmailAddress, SenderFromAddress, Subject, NetworkMessageId, EmailDirection, Connectors, SenderIPv4 Threat hunting on the EmailEvents table requires the Microsoft Defender for Office P2 license. Otherwise, follow the MSFT reference links below for syntax on Historical Message Trace. One of the easiest ways to detect DirectSend is when the sender and recipient are identical (which is typically unusual). We have observed cases where using an exact match of sender and recipient domain name does not detect all results. In some cases the sender domain is a MOERA domain ([email protected]) and they use a different alias on the same mailbox for the recipient address (such as the primary SMTP alias). We suspect this was done to evade the exact == comparison, so we updated the query above to look for the alias matching instead of domain matching (this resulted in finding additional results). If you get too many results, try adding this where clause before the last project statement to reduce results: | where Subject has_any ( 'Pay Raise', 'Strategic Organizational Restructuring', 'Bonus Disbursement', 'Bonus Distribution', 'Merit-Based Pay', 'Compensation Bonus', 'Compensation Review', 'Wage Increase', 'Wages Increase', 'Incentive') References: https://t.co/bfm4CI3Zqh https://t.co/LBYHhUIbws https://t.co/f3TFxu7Qfs If you don't have a valid use of DirectSend you can disable it with this Exchange Online PowerShell cmdlet: Set-OrganizationConfig -RejectDirectSend $true

The Hidden Risk of Outsourcing Cybersecurity to MSSPs: Organizations face an ever-growing array of cyber threats. To combat these, many businesses turn to Managed Security Service Providers (MSSPs) for their cybersecurity needs, entrusting these external entities with the critical task of safeguarding their networks. However, there's a growing concern that this outsourcing trend, while seemingly convenient, may actually be putting companies at greater risk. One of the primary issues is that many MSSPs prioritize their profits over their clients' security. They typically have investors that seek high returns and mandate a private equity type return on investment. Moreover, some MSSPs operate with a reactive mindset, focusing more on incident response rather than proactive threat detection and prevention. This approach can lead to a false sense of security, where organizations believe they are protected because they have an MSSP in place, only to discover the MSSP has earned even more money after the breach has occurred. Another concerning aspect is the sheer volume of clients that MSSPs manage. With a large client base, it's challenging for these providers to give each organization the attention and care needed to maintain a robust security posture. As a result, businesses may find themselves as just another number in a long list of clients, receiving minimal engagement and support. Ultimately, the reliance on MSSPs can create a dangerous disconnect between the organization's security goals and the service provider's business objectives. While MSSPs are essential in offering specialized expertise, companies must carefully vet these providers, ensuring that they truly align with their security needs. Organizations should also maintain some level of internal security oversight, fostering a collaborative relationship with their MSSP rather than a completely hands-off approach.

Table Top Scenario: An employee buys a new personal laptop with Copilot+ Recall. User logs into a company approved portal secured with MFA and a VDI session to work on a highly confidential project that involves PII. Recall is on and taking screenshots of the employees productivity. A few weeks later the employees personal device is stolen. The laptop hard disk was never encrypted. Feel free to discuss.