{"id":6455,"date":"2026-01-07T11:49:15","date_gmt":"2026-01-07T11:49:15","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=6455"},"modified":"2026-01-07T11:49:15","modified_gmt":"2026-01-07T11:49:15","slug":"microsoft-warns-of-a-surge-in-phishing-attacks-exploiting-email-routing-gaps","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=6455","title":{"rendered":"Microsoft warns of a surge in phishing attacks exploiting email routing gaps"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Microsoft\u2019s Threat Intelligence team has disclosed that threat actors are increasingly exploiting complex email routing and misconfigured domain spoof protection to make phishing messages appear as if they were sent from inside the organizations they\u2019re targeting.<\/p>\n<p>These campaigns are relying on configuration gaps, specifically scenarios where mail exchanger (MX) DNS records don\u2019t point directly to Microsoft 365 and where Domain-based Message Authentication, Reporting &amp; Conformance (<a href=\"https:\/\/www.csoonline.com\/article\/564563\/mastering-email-security-with-dmarc-spf-and-dkim.html\">DMARC<\/a>) and Sender Policy Framework (SPF) policies are permissive or misconfigured.<\/p>\n<p>\u201cThreat actors have leveraged this vector to deliver a wide variety of phishing messages related to various phishing-as-a-service (PhaaS) platforms such as <a href=\"https:\/\/www.csoonline.com\/article\/4100393\/hybrid-2fa-phishing-kits-are-making-attacks-harder-to-detect.html\">Tycoon 2FA<\/a>,\u201d Microsoft said in a security blog post.<\/p>\n<p>The blog noted that while the attack vector isn\u2019t brand new, the exploitation has picked up significantly since mid-2025, delivering phishing lures ranging from password resets to shared documents.<\/p>\n<h2 class=\"wp-block-heading\">\u201cInternal\u201d routing and weak policies are at fault<\/h2>\n<p>The fault is with how receiving mail servers interpret incoming messages. When MX records lead to complex mail paths, such as on-premises systems or third-party relays before Microsoft 365, standard spoof protection checks like SPF hard-fail and strict DMARC enforcement may not be applied correctly.<\/p>\n<p>In these cases, a phishing email can arrive with the recipient\u2019s own address in both the \u201cTo\u201d and \u201cFrom\u201d fields, a spoofed message that appears internal at a glance. In some cases, attackers change the sender name to make the message appear more convincing, while the \u201cFrom\u201d field is set to a valid internal email address.<\/p>\n<p>Combined with permissive or absent DMARC and SPF policies, these messages may bypass spam filters and land directly in users\u2019 inboxes.<\/p>\n<p>\u201cPhishing messages sent through this vector may be more effective as they appear to be internally sent messages,\u201d Microsoft added in the<a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/01\/06\/phishing-actors-exploit-complex-routing-and-misconfigurations-to-spoof-domains\/\"> blog<\/a>. \u201cSuccessful credential compromise through phishing attacks may lead to data theft or business email compromise (BEC) attacks against the affected organization or partners and may require extensive remediation efforts, and\/or lead to loss of funds in the case of financial scams.\u201d<\/p>\n<p>Beyond credential capture, the PhaaS infrastructure can facilitate adversary-in-the-middle (AiTM) attacks that relay authentication information in real time and may even circumvent multi-factor authentication protections.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Hardening configurations can help<\/h2>\n<p>The disclosure emphasizes that proper configuration of mail authentication mechanisms is the most effective defense against this spoofing vector. Organizations are advised to adopt strict DMARC reject policies and <a href=\"https:\/\/www.csoonline.com\/article\/564563\/mastering-email-security-with-dmarc-spf-and-dkim.html\">enforce<\/a> SPF hard fails so that unauthenticated mail claiming to be from their domains is rejected or safely quarantined.<\/p>\n<p>Additionally, recommendations include ensuring that any third-party connectors, such as spam filters, archiving services, or legacy mail relays, are correctly set up so that spoof checks can be calculated and enforced consistently.<\/p>\n<p>Tenants with MX records pointing directly to Microsoft 365 aren\u2019t vulnerable to this issue because Microsoft\u2019s native spoof detection and filtering mechanisms are applied by default. For more complex mail infrastructures, Microsoft provided specific guidance on mail flow <a href=\"https:\/\/learn.microsoft.com\/en-in\/exchange\/security-and-compliance\/mail-flow-rules\/mail-flow-rules\">rules<\/a> and authentication practices to reduce exposure and block spoofed emails before they ever reach end users\u2019 inboxes. <\/p>\n<p>Beyond mail authentication fixes, Microsoft urged organizations to harden identity defenses against AiTM phishing, which bypasses passwords by hijacking authenticated sessions. Recommended controls include phishing-resistant MFA such as FIDO2 security keys, Conditional Access enforcement, and protection like MFA number matching to limit the impact of stolen tokens.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Microsoft\u2019s Threat Intelligence team has disclosed that threat actors are increasingly exploiting complex email routing and misconfigured domain spoof protection to make phishing messages appear as if they were sent from inside the organizations they\u2019re targeting. These campaigns are relying on configuration gaps, specifically scenarios where mail exchanger (MX) DNS records don\u2019t point directly to [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":6456,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-6455","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6455"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6455"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6455\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/6456"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6455"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6455"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6455"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}