Direct Send in Exchange Online: How to safeguard your outbound email traffic

Direct Send in Exchange Online: How to safeguard your outbound email traffic

Users have long been familiar with Exchange Online’s “Direct Send” option. In our customer projects, however, we have recently noted an increase in configurations that allow for unintended or undesirable mail flows.

Setups established over time often remain unchanged for extended periods, posing risks regarding security, compliance, and control. Companies using Exchange Online within their email infrastructures are therefore strongly advised to carefully review their current configurations.

What is “Direct Send”?

The Direct Send option makes it possible for systems within a Microsoft 365 environment to send emails directly through Exchange Online without requiring SMTP authentication. The option was originally intended for multifunction devices, applications or other internal systems.

Depending on the architecture and specific Microsoft 365 settings, however, Direct Send can lead to messages bypassing the intended email flow. In other words, you may lose control over your email traffic at this point.

How to reduce the risk in just a few steps

In our experience, the following measures have proven particularly effective:

1. Review and limit the use of Direct Send

First, check whether Direct Send is required in your environment. In many organizations, the feature was enabled at some stage in the past but is no longer actively used. If possible, it should be restricted or disabled entirely.

2. Tag messages clearly

One effective approach would be to mark all legitimate messages within Exchange Online with a specially modified header which can then be verified before the message is sent.

To achieve this, a transport rule can be used to add a “secret” value to the header. A downstream policy rule then checks whether the correct value is present. Messages lacking the modified header can initially be screened and, if necessary, blocked or forwarded separately based on previously defined rules.

3. Alternatively, check the Microsoft tenant ID

One alternative to verifying the header involves using the Microsoft tenant ID contained in the Exchange header as an authentication key.

In this scenario, outbound emails are checked to ensure that they contain the expected tenant identifier. Depending on security requirements, emails that fail this check can be monitored, blocked, or forwarded.

4. First ensure transparency

Prior to resorting to such drastic measures, it would be advisable to start by monitoring any messages that may be impacted.

This can be accomplished, for instance, by setting up a policy rule that initially forwards suspicious messages via blind carbon copy (BCC) to a dedicated inbox. In this way, it is possible to determine whether and to which extent direct-send messages are in fact being sent, without disrupting regular operations.

Once sufficient data has been gathered through monitoring, the rules described above can be put into effect.

Enterprise email security goes beyond the gateway

The Direct Send issue demonstrates yet again that safeguarding your email infrastructure goes far beyond conventional spam and malware filters. Especially when it comes to hybrid and cloud-based enterprise environments, it is also essential to ensure an uninterrupted, controlled email flow.

In addition to regularly reviewing their Direct Send settings, companies should also continuously review their overall Exchange Online configuration to ensure that only authorized messages can use the defined communication paths.

The Direct Send issue is just one of many ongoing discussions concerning Exchange Online. Another recent example is the ghost sender issue, which can likewise lead to unwanted mail flows under certain conditions.

Professional support for complex mail flow scenarios

An expert assessment of the existing email architecture – offered, for instance, in the context of professional services – helps companies identify potential vulnerabilities early on and address them with the appropriate technical measures.

Tags: //

Submit a Comment

Your email address will not be published. Required fields are marked *