Petra Security

How Your Client Got an Email from Themself

How attackers abuse Microsoft 365 Direct Send to deliver phishing emails and steal credentials

Adithya Vellal·February 24, 2026

"I just got a weird email from myself. I definitely didn't send it. Am I hacked?"

When users report receiving emails ostensibly from themselves, IT teams typically suspect account compromise. However, investigation of Entra sign-in logs and Message Trace typically reveals no suspicious activity.

In these cases, the user hasn't been compromised yet. They're being targeted by attackers attempting to harvest credentials through phishing emails that appear self-originated. Attackers accomplish this by abusing Microsoft's Direct Send functionality to circumvent email filters.

Case 1: The Fake Fax Email Notification

Subject line: "New-Fax from HellmanCole received today, January 8, 2026 at 12:04:07 PM -refID: 5540768264|0f73e2202ee9efadd78c". Sender: ckennedy@hellmancole.com. Recipient: ckennedy@hellmancole.com.

A redacted email screenshot showing a fax notification appearing to come from the recipient's own address.
A redacted email screenshot showing a fax notification appearing to come from the recipient's own address.

The attack exploits user reasoning. The subject includes the company name and appears automated. The sender matches the recipient, which users rationalize as system routing. The timestamp suggests urgency. When users open the email, they're redirected to a credential phishing page, resulting in compromise.

Case 2: The Fake Voicemail Notification

Subject line: "Caller left (52s VMSG) preview MSchneck-2b23948dce9298703ff0a3d96cd392ad". Sender: mschneck@kx.org. Recipient: mschneck@kx.org.

Screenshot of a voicemail notification email purporting to be a voicemail preview from the user themself.
Screenshot of a voicemail notification email purporting to be a voicemail preview from the user themself.

This variant mimics office phone systems. Users receive emails purporting to be voicemail previews from themselves, again appearing legitimate due to internal origin and automation context. Users click to reveal the "message" and surrender credentials.

What Makes These Phishing Emails So Effective?

  • They appear internal with matching sender domains and names, bypassing email security.
  • They resemble automated notifications from office infrastructure, providing plausible explanations for the self-originated appearance.
  • They convey legitimacy and urgency through company names, usernames, timestamps, and language suggesting incomplete information requiring immediate action.

How Is This Happening In the First Place?

Attackers abuse Microsoft 365 Direct Send, which is intended for printers and legacy applications that need to relay internal mail without authentication. This enables external attackers to inject emails using organizational domains while spoofing real users, evading failed authentication checks. This technique has been incorporated into phishing toolkits for automated credential harvesting campaigns.

How To Respond To That Ticket

Users receiving such emails likely haven't been compromised yet but are being targeted for credential theft.

Immediate steps:

  • Review Entra sign-in logs for suspicious activity; if found, revoke sessions and reset passwords.
  • Have users delete the email.
  • Advise users that emails appearing self-originated are phishing attempts.

Environment-level hardening: assess whether your organization needs Direct Send. If it's unnecessary, execute Set-OrganizationConfig -RejectDirectSend $true. If Direct Send is required, review mail flow configurations and constrain unauthenticated relay IPs to the minimum necessary footprint.

Takeaway: Attackers Exploit Weaknesses Quickly & At Scale

Microsoft environments represent high-value targets where repeatable bypasses become weaponized rapidly. Direct Send abuse proved effective and was quickly integrated into phishing toolkits, making such attacks widespread.

Microsoft environment defenders must continuously adapt to novel attacker techniques, as new methods can become mainstream within days.

See what's in your last six months of logs.

Run six months of M365 logs through Petra and get insurance-grade forensics within 48 hours. Five minutes to set up with no sales call.