Microsoft has issued a warning about a significant increase in phishing attacks that exploit misconfigurations in email routing and spoofing protections. These attacks allow threat actors to send emails that appear to originate from within an organization, leading to credential theft and potential business email compromise (BEC) or financial scams. The tactic has seen a surge since May 2025, impacting various industries.

Key Takeaways

• Threat actors are exploiting complex email routing scenarios and weak spoof protection.

• Phishing emails appear to be sent internally, increasing their effectiveness.

• The Tycoon 2FA phishing-as-a-service (PhaaS) platform is frequently used.

• Attacks aim to steal credentials, leading to data theft, BEC, or financial loss.

• Proper configuration of DMARC, SPF, and third-party connectors is crucial for defense.

Exploiting Email Routing Gaps

The primary vulnerability lies in organizations with complex email routing setups where mail exchanger (MX) records do not point directly to Microsoft 365. Instead, mail may be routed through on-premises systems or third-party services before reaching Microsoft 365. In these scenarios, standard spoof protection checks might not be applied effectively, allowing attackers to craft emails that appear to come from the organization's own domain.

These spoofed emails often mimic internal communications, such as voicemails, shared documents, HR notices, or password reset requests. A common tactic involves using the same email address in both the 'To' and 'From' fields, making the message seem legitimate at first glance. The use of PhaaS platforms like Tycoon 2FA simplifies the creation and management of these campaigns, even for less technically skilled attackers.

Financial Scams and Direct Send Abuse

Beyond credential harvesting, these attacks are also being used for financial scams. Threat actors may impersonate CEOs, accounting departments, or suppliers, sending fake invoices, W-9 forms, and bank letters to trick recipients into wiring funds to fraudulent accounts. The urgency often conveyed in these messages pressures victims into acting quickly.

Furthermore, a feature known as "Direct Send" in Microsoft 365 is being abused. This feature allows on-premises devices or services to send emails through a tenant's smart host as if they originated internally. Because it doesn't require authentication, it can be exploited by remote users to send internal-looking emails, bypassing standard security checks like SPF, DKIM, and DMARC. Microsoft has acknowledged this risk and is working on deprecating the feature, while also offering a "Reject Direct Send" setting for administrators.

Recommended Defenses

Microsoft and security researchers advise organizations to implement robust email security measures. Key recommendations include:

• Strict DMARC Policies: Enforce DMARC reject policies (p=reject).

• SPF Hard Fail: Configure Sender Policy Framework (SPF) to hard fail (-all).

• Third-Party Connector Configuration: Ensure all third-party connectors (spam filters, archiving tools) are correctly configured.

• Direct Send Management: Disable Direct Send if it is not necessary for the organization.

• Employee Training: Educate users about recognizing phishing attempts, including those involving QR codes or urgent financial requests.

• Advanced Identity Protection: Implement phishing-resistant multi-factor authentication (MFA) and Conditional Access policies to mitigate the impact of stolen credentials.

Organizations with MX records pointing directly to Microsoft 365 are generally less vulnerable as Microsoft's native security mechanisms are applied by default. However, vigilance and proper configuration remain critical for all organizations.

Sources

• Microsoft Warns Misconfigured Email Routing Can Enable Internal Domain Phishing, The Hacker News.

• Microsoft warns of a surge in phishing attacks exploiting email routing gaps, CSO Online.

• Misconfigured email routing enables internal-spoofed phishing, Security Affairs.

• Microsoft 365 'Direct Send' abused to send phishing as internal users, BleepingComputer.