This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Team members in my company have started receiving odd phishing emails claiming that an employee has a voicemail waiting for them. Attached is a file that says "Outlook item" (shown below) which usually pulls up a one page document with a malicious QR code. The weird part is I am unable to find the sender as it will usually seem like it was sent from the employee themself and there is no header data available. I am looking to find out where these emails are coming from and how I can block them.
Using New Outlook on Windows for professional communication and productivity
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 36%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBC%3C/text%3E%3C/svg%3E)
It's a direct send exploit, see https://www.varonis.com/blog/direct-send-exploit
disabling direct send will resolve it.
Answer accepted by question author
It's a direct send exploit, see https://www.varonis.com/blog/direct-send-exploit
disabling direct send will resolve it.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 1%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETH%3C/text%3E%3C/svg%3E)
Hello @MK
Thank you for posting your question in the Microsoft Q&A forum.
According to your description, this likely is a spoofing attack, where threat actors forge the "From" address to make emails look like they’re sent internally. The lack of header data suggests:
You can follow these suggestions to enhance your organization's security:
Check Email Authentication Setup (SPF, DKIM, DMARC)
Analyze the Phishing Email
If headers are missing, the email may be spoofed or sent via compromised third-party services.
Run a Message Trace
To identify the true source and delivery path:
Note: You need to be a Microsoft 365 admin to perform this action. If not, please contact your IT admin to know who has access to this portal.
Block the Sender or Domain
In the Microsoft 365 Security & Compliance Center:
Enable Anti-Phishing and Safe Attachments Policies
In Microsoft Defender for Office 365:
Educate and Alert Your Team
Send a company-wide alert:
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi MK,
Good day! I just wanted to follow up and check in to see if you need any further assistance. I hope everything is going smoothly on your end.
If there's anything you're still unsure about, or if new questions have come up, please don’t hesitate to reach out. I'm here to support you and happy to help with anything you might need.
Your satisfaction is important, and I want to make sure you feel confident and supported throughout the process. Just let me know how I can assist further.
Looking forward to your reply!
Hi @MK,
I hope you're doing well.
This is my second follow-up to check in and see if your issue has been resolved. I want to make sure everything is working smoothly for you. If you're still experiencing any difficulties or have encountered new challenges, please don’t hesitate to share the details—I'm here and happy to help.
In the meantime, I’ll continue monitoring other customer inquiries on the forum to ensure everyone receives timely support. If you have any updates or further questions, feel free to tag me in your reply so I can assist you more directly.
Looking forward to hearing from you soon!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 17%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
We are seeing these hit our organization too. And even through Microsoft Defender and pulling up the email ID, it actually appears to be from the user to the user with an attachment to scan a QR code. And the subject lines vary. We have not found a way to stop this from happening. We've had users change passwords, checked for rogue logins, and it still keeps happening. Defender has been flagging ones sent from an internal employee to a different employee as spam/phish properly, but the ones that are sent from themselves to themselves are getting through. And what's more, if that user forwards a copy of the email to me, defender blocks it.
We even tried to select to block all emails from the one we found in message trace assuming it was surely a spoof and it actually blocked the legit user account and no one in the company could email them anymore. So we had to unblock it. And this message seems to delete itself from the users sent items, the only way to verify that the message really was sent from the user to themselves is by doing a message trace.
Whatever this is, it's a whole different level of phish. I've submitted a ton to Microsoft for review. We've scanned for malware and spyware on every machine and found nothing to suggest an infection causing this.
Here's a list of the subject lines we've encountered so far, all have either a pdf or docx attachment with the malicious QR code:
Fwd: Caller_left_VMail*Message
Updated compensation summary is now available
Schedule and Eligibility Criteria for Bonus Disbursement
Salary & Remuneration Details Available
Hi @Jay Shel,
I understand the frustration you're facing with this issue.
When using Microsoft Defender, you'll need to wait for it to take action.
If you need further assistance, feel free to create another question on this forum. You'll receive more attention and better assistance this way, since each case might require different solution.
Or you can submit a support ticket on Contact us for deeper analysis.
Thank you for reaching out to us!
We had to enable "Reject Direct Send" on exchange via powershell in order to stop the messages from coming in. We were worried it would cause internal email problems or emailing to themselves legitimately, but we haven't encountered any problems and it's 100% resolved our scam emails from a user to themselves.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 21%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBG%3C/text%3E%3C/svg%3E)
It's happening since forever, I've seen it around 10 years ago for the first time.
Will this ever be fixed? Mail server does have the data to check if you really sent the email to yourself or not.
Hi @Boris Gavrikov,
I understand how frustration this issue can be and I'm sincerely sorry you're facing this.
To have the most accurate assistance, you can create another thread on this forum. Consider uploading your screenshots (please remove any personal information before uploading your images) for the troubleshoot progress to run easier and moderator in this forum can find solution for your problem faster.
For deeper analysis, you can submit a support ticket on Contact us. Microsoft Technical Engineer can perform a remote session to investigate the situation, verify the backend configurations, and run any necessary synchronization tools to resolve the problem.
You can also submit feedback and upvote existing requests to show demand from the community at Outlook · Community. The Product Team is in-charge of the feedback site, and they are constantly checking the comments and feedback from our customer. Many features have been developed or improved based on users' comment.