Windows Issued a Warning: Printers Are Being Used in New Hacker Attacks
The attack has affected dozens of companies and bypassed Microsoft’s security systems.
Researchers from Varonis Threat Labs have discovered a new phishing campaign in which attackers exploit a little-known Microsoft 365 feature called Direct Send. This feature was originally designed to allow internal devices—such as printers—to send emails without requiring authentication. However, in this campaign, it was used to spoof internal addresses and send phishing emails without needing to compromise any accounts.
According to Varonis, the campaign began in May 2025 and has already affected more than 70 organizations, primarily in the United States. The attacks targeted specific companies, and the emails did not raise suspicion since they appeared to be internal traffic. All incidents followed the same pattern: identical subject lines, matching sender IP addresses, and other technical similarities. Security experts have previously noted similar trends in attacks targeting Microsoft 365.
The core issue lies in the fact that Direct Send allows emails to be sent through Microsoft’s internal mail gateway without passwords or tokens. To exploit this, attackers only need to know a company’s domain name and one internal email address. Everything else can be brute-forced or gathered from open sources.
In the incidents documented by Varonis, emails were sent using PowerShell scripts. The messages appeared to be voicemail or fax notifications, included a PDF file with a QR code, and directed recipients to phishing sites aimed at stealing Microsoft 365 credentials. The use of QR codes in phishing attacks is an increasingly popular tactic among cybercriminals. Despite lacking digital signatures and failing SPF and DMARC checks, the emails still successfully passed through Microsoft’s infrastructure and landed in employee inboxes.
In some cases, security systems did raise alerts due to the emails originating from unusual geolocations (e.g., Ukraine), but the concern was not unauthorized login attempts—it was the very act of sending emails. Header analysis confirmed the emails came from external sources but used internal routing paths, which allowed them to bypass filters.
To defend against such attacks, experts recommend:
- Disabling Direct Send if it is not strictly needed
- Enforcing a strict DMARC policy
- Monitoring unauthenticated emails
- Applying anti-spoofing policies
- Training employees on the risks of malicious attachments, especially those using QR codes
Proper configuration of SPF and DMARC is critical to preventing sender spoofing. It’s also essential to use multi-factor authentication (MFA) and restrict allowed IP addresses in SPF records.
Varonis emphasizes that even internal-looking emails can pose serious threats if such loopholes are left unchecked. Their tools and teams are capable of detecting and neutralizing these threats in real time.
