Phishing attackers exploit routing scenarios and misconfigured spoofing protections to impersonate an organization’s domain and distribute emails that appear to be sent internally.
“Threat actors are leveraging this vector to deliver a variety of phishing messages related to various phishing-as-a-service (PhaaS) platforms, such as Tycoon 2FA,” the Microsoft Threat Intelligence team said in a Tuesday report. “These include decoy messages with themes such as voicemails, shared documents, communications from human resources, password resets and expiration dates, etc., leading to credential phishing.”
While this attack vector is not necessarily new, the tech giant said it has seen a sharp increase in the use of this tactic since May 2025 as part of opportunistic campaigns targeting a wide range of organizations across multiple industries and verticals. This includes campaigns that use spoofed emails to commit financial fraud against organizations.
A successful attack can allow attackers to extract credentials and use them for subsequent activities ranging from data theft to business email compromise (BEC).
This issue primarily occurs in scenarios where tenants have configured complex routing scenarios and impersonation protection is not strictly enforced. Examples of complex routing include pointing mail exchanger records (MX records) to an on-premises Exchange environment or a third-party service before reaching Microsoft 365.
This creates a security gap that attackers can exploit to send spoofed phishing messages that appear to originate from the tenant’s own domain. The majority of phishing campaigns that utilize this approach have been found to utilize the Tycoon 2FA PhaaS kit. Microsoft announced that it blocked more than 13 million malicious emails related to this kit in October 2025.
PhaaS toolkits are plug-and-play platforms that allow fraudsters to easily create and manage phishing campaigns, making them accessible to those with limited technical skills. They provide features such as customizable phishing templates, infrastructure, and other tools to facilitate credential theft and bypass multi-factor authentication using man-in-the-middle (AiTM) phishing.
The Windows maker said it also discovered emails that tricked organizations into paying bogus invoices, which could lead to financial losses. Spoofed messages can also impersonate legitimate services, such as DocuSign, or claim to be from Human Resources regarding changes to pay or benefits.
Phishing emails that propagate financial fraud often resemble conversations between the targeted organization’s CEO, individuals requesting payment for services rendered, or a company’s accounting department. It also includes three attachments that lend a false sense of confidence to the scheme.
Fake invoices for thousands of dollars transferred to bank accounts IRS W-9 forms with the names and social security numbers of the individuals used to set up the bank accounts Fake bank letters were allegedly provided by employees of the online bank used to set up the fraudulent accounts
“They may use clickable links in the email body, QR codes in attachments, or other means to direct recipients to a phishing landing page,” it added. “Appearing to be sent from an internal email address is the most noticeable difference to end users, and in many cases the same email address[宛先]field and[差出人]used for fields. ”
To combat this risk, we recommend that organizations set up strict Domain-Based Message Authentication, Reporting, and Conformance (DMARC) rejection policies and Sender Policy Framework (SPF) hard fail policies, and appropriately configure third-party connectors such as spam filter services and archiving tools.
Note that tenants with MX records that point directly to Office 365 are not vulnerable to attack vectors. Additionally, if you don’t need to reject emails that impersonate your organization’s domain, we recommend turning off Direct Send.
Source link
