Attackers rarely miss an opportunity to twist a convenient feature into a phishing tool. Exchange Online’s Direct Send is the latest example: security researchers have documented campaigns that drop fake “internal” messages straight into corporate inboxes—no credentials required. Headlines warn that these messages “bypass SPF, DKIM and DMARC,” leaving IT teams wondering whether the standard …
