Microsoft’s Threat Intelligence team has disclosed that threat actors are increasingly exploiting complex email routing and misconfigured domain spoof protection to make phishing messages appear as if they were sent from inside the organizations they’re targeting.
These campaigns are relying on configuration gaps, specifically scenarios where mail exchanger (MX) DNS records don’t point directly to Microsoft 365 and where Domain-based Message Authentication, Reporting & Conformance (DMARC) and Sender Policy Framework (SPF) policies are permissive or misconfigured.
“Threat actors have leveraged this vector to deliver a wide variety of phishing messages related to various phishing-as-a-service (PhaaS) platforms such as Tycoon 2FA,” Microsoft said in a security blog post.
The blog noted that while the attack vector isn’t brand new, the exploitation has picked up significantly since mid-2025, delivering phishing lures ranging from password resets to shared documents.
“Internal” routing and weak policies are at fault
The fault is with how receiving mail servers interpret incoming messages. When MX records lead to complex mail paths, such as on-premises systems or third-party relays before Microsoft 365, standard spoof protection checks like SPF hard-fail and strict DMARC enforcement may not be applied correctly.
In these cases, a phishing email can arrive with the recipient’s own address in both the “To” and “From” fields, a spoofed message that appears internal at a glance. In some cases, attackers change the sender name to make the message appear more convincing, while the “From” field is set to a valid internal email address.
Combined with permissive or absent DMARC and SPF policies, these messages may bypass spam filters and land directly in users’ inboxes.
“Phishing messages sent through this vector may be more effective as they appear to be internally sent messages,” Microsoft added in the blog. “Successful credential compromise through phishing attacks may lead to data theft or business email compromise (BEC) attacks against the affected organization or partners and may require extensive remediation efforts, and/or lead to loss of funds in the case of financial scams.”
Beyond credential capture, the PhaaS infrastructure can facilitate adversary-in-the-middle (AiTM) attacks that relay authentication information in real time and may even circumvent multi-factor authentication protections.
Hardening configurations can help
The disclosure emphasizes that proper configuration of mail authentication mechanisms is the most effective defense against this spoofing vector. Organizations are advised to adopt strict DMARC reject policies and enforce SPF hard fails so that unauthenticated mail claiming to be from their domains is rejected or safely quarantined.
Additionally, recommendations include ensuring that any third-party connectors, such as spam filters, archiving services, or legacy mail relays, are correctly set up so that spoof checks can be calculated and enforced consistently.
Tenants with MX records pointing directly to Microsoft 365 aren’t vulnerable to this issue because Microsoft’s native spoof detection and filtering mechanisms are applied by default. For more complex mail infrastructures, Microsoft provided specific guidance on mail flow rules and authentication practices to reduce exposure and block spoofed emails before they ever reach end users’ inboxes.
Beyond mail authentication fixes, Microsoft urged organizations to harden identity defenses against AiTM phishing, which bypasses passwords by hijacking authenticated sessions. Recommended controls include phishing-resistant MFA such as FIDO2 security keys, Conditional Access enforcement, and protection like MFA number matching to limit the impact of stolen tokens.
No Responses