Send us fan mail!

Hello to all our Cyber Squirrels! In this extra-packed episode of Discarded, host Selena Larson welcomes Proofpoint Principal Research Engineer Jason Ford for his first appearance on the show. Together, they dive into two resurging email attack techniques—Microsoft 365 Direct Send abuse and URL rewrite abuse—and why defending against them requires more than just traditional email security.

Jason explains what Direct Send is, why attackers exploit this legacy feature, and how it enables phishing campaigns that appear to originate from inside an organization. From QR code phishing kits to “to-do list” themed lures, Selena and Jason break down attack chains, share real-world examples, and highlight the red flags that indicate exploitation. They also explore how adversaries weaponize URL rewrites in redirect chains, to deliver malware and credential phishing. 

We also unpack:

•  How Direct Send works under the hood and why legacy features are a prime target
  
  
  
• Common signs in email headers that reveal Direct Send abuse
  
  
  
• The role of URL rewrites in modern phishing campaigns
  
  
  
• Why credential phishing has overtaken malware as the go-to tactic
  
  
  
• Practical steps organizations can take—including when it makes sense to disable Direct Send
  
  
  
• The importance of layered defenses, user education, and risk awareness across SaaS apps
  
  
  
• Predictions on which “old school” techniques might resurface next

This episode offers a clear, actionable look at how threat actors adapt and why everything old in cybercrime eventually becomes new again. 

Resources Mentioned:

https://www.proofpoint.com/us/blog/email-and-cloud-threats/attackers-abuse-m365-for-internal-phishing

http://www.jasonsford.com

https://github.com/jasonsford/directsendanalyzer 

For more information about Proofpoint, check out our website.

Subscribe & Follow:

Stay ahead of emerging threats, and subscribe! Happy hunting!