Threat actors engaging in phishing attacks are actively exploiting routing scenarios and misconfigured spoof protections to impersonate organizations’ domains and distribute emails that appear to originate from internal sources.
“Threat actors have leveraged this vector to deliver a wide variety of phishing messages related to various phishing-as-a-service (PhaaS) platforms such as Tycoon 2FA,” the Microsoft Threat Intelligence team said in a Tuesday report. “These include messages with lures themed around voicemails, shared documents, communications from human resources (HR) departments, password resets or expirations, and others, leading to credential phishing.”
Although the attack vector itself is not new, Microsoft said it has observed a sharp increase in its use since May 2025. During this period, threat actors launched opportunistic campaigns targeting organizations across a broad range of industries and verticals. Notably, one such campaign used spoofed emails to carry out financial scams against organizations.
As a result, a successful attack can allow threat actors to siphon credentials and use them for follow-on activities, ranging from data theft to business email compromise (BEC).
Misconfigured Routing Creates a Security Gap
The issue primarily manifests when a tenant configures a complex routing scenario and fails to strictly enforce spoof protections. For example, organizations may point their mail exchanger (MX) record to an on-premises Exchange environment or a third-party service before messages reach Microsoft 365.
Consequently, this setup creates a security gap that attackers can exploit to send spoofed phishing messages that appear to originate from the tenant’s own domain. Microsoft observed that the vast majority of phishing campaigns leveraging this technique rely on the Tycoon 2FA PhaaS kit. The company said it blocked more than 13 million malicious emails associated with the kit in October 2025.
PhaaS toolkits operate as plug-and-play platforms that allow fraudsters to quickly create and manage phishing campaigns, even with limited technical expertise. These services offer customizable phishing templates, supporting infrastructure, and tools that enable credential theft and bypass multi-factor authentication through adversary-in-the-middle (AiTM) phishing techniques.
Financial Fraud and Invoice Scams
In addition, Microsoft said it has identified emails designed to trick organizations into paying Fraudulent Invoices, potentially resulting in significant financial losses. These spoofed messages often impersonate legitimate services such as DocuSign or claim to originate from HR departments regarding salary or benefits changes.
Phishing emails that propagate financial scams frequently mimic an ongoing conversation involving the Organization’s CEO, a service provider Requesting payment, or the accounting department. To reinforce credibility, the messages typically include three Attachments:
- A fake invoice requesting the transfer of thousands of dollars to a bank account
- An IRS W-9 form listing the name and Social Security number of the individual used to establish the bank account
- A fake bank letter allegedly issued by an employee at the online bank used to create the Fraudulent account
“They may employ clickable links in the email body or QR codes in attachments or other means of getting the recipient to navigate to a phishing landing page,” it added. “The appearance of having been sent from an internal email address is the most visible distinction to an end user, often with the same email address used in the ‘To’ and ‘From’ fields.”
Recommended Mitigations and Best Practices
To mitigate this risk, organizations should enforce strict Domain-based Message Authentication, Reporting, and Conformance (DMARC) reject policies and Sender Policy Framework (SPF) hard fail Configurations. Additionally, administrators should properly Configure Third-party connectors, including spam Filtering services and email Archiving tools.
Finally, Microsoft noted that tenants with MX records pointed directly to Office 365 do not face exposure to this attack vector. The company also recommends Disabling Direct Send when it is not required, as doing so helps reject emails that spoof the Organization’s domains.
Source: TheHackerNews
Read more at Impreza News
