Threat actors have been observed abusing complex routing and improperly configured spoof protections in phishing attacks, Microsoft warns.
By spoofing legitimate domains, the attackers make their phishing emails more effective, as they appear to have been sent internally.
The attack vector, Microsoft says, has been used in opportunistic campaigns powered by phishing-as-a-service (PhaaS) platforms such as Tycoon2FA, targeting several industries.
The phishing messages contain lures related to document sharing, HR communication, invoices, password resets, and voicemails, leading to the compromise of credentials that may be abused for business email compromise (BEC) or data theft.
According to Microsoft, the vulnerable organizations have configured complex routing scenarios without strictly enforced spoof protections, and have MX records not pointing to Office 365, allowing attackers to send messages seemingly sent from the victims’ domains.
The tech giant points out that the issue is not a vulnerability of Direct Send, the Microsoft 365 Exchange Online feature that allows devices and applications to send emails without authentication via an organization’s domains.
“Setting strict Domain-based Message Authentication, Reporting, and Conformance (DMARC) reject and SPF hard fail (rather than soft fail) policies and properly configuring any third-party connectors will prevent phishing attacks spoofing organizations’ domains,” Microsoft says.
In October 2025, the tech company blocked over 13 million malicious emails originating from the Tycoon2FA PhaaS platform, many of which spoofed internal domains.
Tycoon2FA and similar platforms, Microsoft explains, provide threat actors with attack infrastructure and capabilities such as adversary-in-the-middle (AiTM) phishing, which allows them to circumvent multi-factor authentication (MFA) protections.
“The bulk of phishing messages sent through this attack vector uses the same lures as conventionally sent phishing messages, masquerading as services such as Docusign, or communications from HR regarding salary or benefits changes, password resets,” the tech giant notes.
Microsoft has provided resources to help organizations properly configure mail flow connectors and rules to block spoofed email messages, as well as queries to hunt for related activity.
Related: AI Is Supercharging Phishing: Here’s How to Fight Back
Related: Google Says Chinese ‘Lighthouse’ Phishing Kit Disrupted Following Lawsuit
Related: RaccoonO365 Phishing Service Disrupted, Leader Identified
