Back in Part 1, we walked through how attackers are using Microsoft 365’s Direct Send feature to spoof internal emails, making those messages look like they’re coming from a trusted domain.