Key Findings

• Threat actors are exploiting misconfigured email routing and spoof protection to impersonate organizations' internal domains and distribute phishing emails.

• These phishing campaigns leverage phishing-as-a-service (PhaaS) platforms like Tycoon 2FA, delivering a variety of lures related to voicemails, shared documents, HR communications, and password resets.

• The attack vector is not new, but Microsoft has observed a surge in its usage since May 2025, targeting a wide range of organizations across multiple industries.

• Successful attacks could allow threat actors to steal credentials and leverage them for follow-on activities, such as data theft and business email compromise (BEC).

Background

The problem primarily manifests in scenarios where a tenant has configured a complex routing setup, and spoof protections are not strictly enforced. For example, when the mail exchanger (MX) record points to an on-premises Exchange environment or a third-party service before reaching Microsoft 365.

This creates a security gap that attackers can exploit to send spoofed phishing messages that appear to originate from the tenant's own domain. The vast majority of phishing campaigns leveraging this approach have been found to use the Tycoon 2FA PhaaS kit, with Microsoft blocking over 13 million malicious emails linked to it in October 2025.

Phishing-as-a-Service (PhaaS)

PhaaS toolkits are plug-and-play platforms that allow even technically unsophisticated fraudsters to create and manage phishing campaigns. They provide features like customizable phishing templates, infrastructure, and tools to facilitate credential theft and bypass multi-factor authentication using adversary-in-the-middle (AiTM) phishing.

Financial Fraud

Microsoft has also observed emails intended to trick organizations into paying bogus invoices, potentially leading to financial losses. The spoofed messages often impersonate legitimate services like DocuSign or claim to be from HR regarding salary or benefits changes.

Mitigating the Threat

To counter this risk, organizations are advised to set strict Domain-based Message Authentication, Reporting, and Conformance (DMARC) reject and Sender Policy Framework (SPF) hard fail policies, and properly configure any third-party connectors, such as spam filtering services or archiving tools.

Tenants with MX records pointed directly to Office 365 are not vulnerable to this attack vector. Additionally, it's recommended to turn off Direct Send if not necessary to reject emails spoofing the organization's domains.

Sources

• https://thehackernews.com/2026/01/microsoft-warns-misconfigured-email.html

• https://securityonline.info/microsoft-warns-of-surge-in-internal-domain-spoofing/

• https://securityaffairs.com/186638/hacking/misconfigured-email-routing-enables-internal-spoofed-phishing.html