Threat actors are abusing routing configurations and improperly set spoofing protections to impersonate an organization’s own domain, sending phishing emails that appear to originate from internal sources, Microsoft has warned.
The Microsoft Threat Intelligence team said in a new report that threat actors have leveraged this particular attack vector to deliver various phishing messages related to phishing-as-a-service (PhaaS) platforms such as Tycoon 2FA.
“These include messages with lures themed around voicemails, shared documents, communications from human resources (HR) departments, password resets or expirations, and others, leading to credential phishing,” says the report.
According to researchers, these types of attacks aren’t actually new, but they've been observed more often since May 2025.
Besides, even though most phishing campaigns Microsoft has seen using this attack vector are more opportunistic rather than targeted in nature, some exploit the vector to conduct financial scams against organizations.
Most importantly, these campaigns are different because the attack vector abuses complex routing and improperly configured spoof protections. This means that phishing messages appear to be internally sent and could thus be more effective, Microsoft says in the report.
One example of complex routing involves pointing the mail exchanger record (MX record) to an on-premises Exchange environment or a third-party service before reaching Microsoft 365.
This then creates a security gap that attackers can exploit by sending spoofed phishing messages that seem to originate from the tenant’s own domain.
A successful attack could allow threat actors to siphon credentials and leverage them for follow-on activities, ranging from data theft to business email compromise.
The vast majority of phishing campaigns that leverage this approach are using the Tycoon 2FA PhaaS kit.
Microsoft Threat Intelligence has also observed emails intended to trick organizations into paying fake invoices, potentially leading to financial losses.
According to the researchers, in these spoofed phishing attacks, the recipient's email address is used in both the “To” and “From” fields of the email, though some attacks will change the display name of the sender to make the attack more convincing, and the “From” field could contain any valid internal email address.
“While Microsoft detects the majority of these phishing attack attempts, organizations can further reduce risk by properly configuring spoof protections and any third-party connectors to prevent spoofed phish or scam messages sent through this attack vector from reaching inboxes,” says the report.
The vast majority of phishing campaigns that leverage this approach are using the Tycoon 2FA PhaaS kit, the Windows maker said. It blocked more than 13 million malicious emails linked to the kit in October 2025 alone.
PhaaS platforms such as Tycoon2FA provide threat actors with a suite of capabilities, support, and ready-made lures and infrastructure to carry out phishing attacks and compromise credentials.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked