Warns Misconfigured Email Routing Can Enable Internal... Microsoft

Threat actors engaging in phishing attacks are exploiting routing scenarios and misconfigured spoof protections to impersonate organizations' domains and distribute emails that appear as if they have been sent internally.

"Threat actors have leveraged this vector to deliver a wide variety of phishing messages related to various phishing-as-a-service (PhaaS) platforms such as Tycoon 2FA," the Microsoft Threat Intelligence team said in a Tuesday report. "These include messages with lures themed around voicemails, shared documents, communications from human resources (HR) departments, password resets or expirations, and others, leading to credential phishing."

While the attack vector is not necessarily new, the tech giant said it has witnessed a surge in the use of the tactic since May 2025 as part of opportunistic campaigns targeting a wide variety of organizations across multiple industries and verticals. This includes a campaign that has employed spoofed emails to conduct financial scams against organizations.

A successful attack could allow threat actors to siphon credentials and leverage them for follow-on activities, ranging from data theft to business email compromise (BEC).

The problem manifests primarily in scenarios where a tenant has configured a complex routing scenario and spoof protections are not strictly enforced. An example of complex routing involves pointing the mail exchanger record (MX record) to either an on-premises Exchange environment or a third-party service before reaching Microsoft 365

This creates a security gap that attackers can exploit to send spoofed phishing messages that seem to originate from the tenant's own domain. The vast majority of phishing campaigns that leverage this approach have been found to make use of the Tycoon 2FA PhaaS kit. Microsoft said it blocked more than 13 million malicious emails linked to the kit in October 2025.

PhaaS toolkits are plug-and-play platforms that allow fraudsters to create and manage phishing campaigns easily, making it accessible even for those with limited technical skills. They provide features like customizable phishing templates, infrastructure, and other tools to facilitate credential theft and circumvent multi-factor authentication using adversary-in-the-middle (AiTM) phishing.

The Windows maker said it has also spotted emails intended to trick organizations into paying bogus invoices, potentially leading to financial losses. The spoofed messages also impersonate legitimat

Source: The Hacker News