Internal phishing risk tied to complex email routing, Microsoft says

The company says routing gaps and weak spoof protections are being abused to send emails that appear to originate from inside an organization.

What happened

Microsoft warned that threat actors are exploiting misconfigured email routing and incomplete spoof protections to impersonate organizations’ own domains. According to a report from Microsoft, attackers are sending phishing emails that appear to come from internal addresses, using themes such as voicemail alerts, shared documents, HR notices, and password resets to harvest credentials. The activity has increased since May 2025 and has affected organizations across multiple industries.

Going deeper

Microsoft explained that the issue most often arises in environments with complicated mail routing, such as when mail exchanger records are directed through on-premises Exchange servers or third-party services before reaching Microsoft 365. If spoof protections are not strictly enforced, attackers can exploit the routing path to inject emails that pass basic checks and appear internal. Many of the observed campaigns relied on phishing-as-a-service platforms, particularly Tycoon 2FA, which simplifies credential theft and can bypass multi-factor authentication using adversary-in-the-middle techniques. Microsoft said it blocked more than thirteen million malicious emails linked to this kit in October 2025 alone. In some cases, the same technique was used to support financial fraud attempts that targeted accounting and finance teams.

What was said

Microsoft said that emails sent through this method often stand out to users because the same address appears in both the sender and recipient fields, reinforcing the illusion that the message originated internally. The company also noted that some campaigns impersonated legitimate services such as DocuSign or payroll notifications, while others delivered fake invoices accompanied by supporting documents designed to build trust. Microsoft advised organizations to review routing configurations, apply strict sender authentication policies, and disable unnecessary mail features that could be abused. It added that tenants whose MX records point directly to Microsoft 365 are not exposed to this specific attack path.

In the know

A HIPAA Times publication on the Tycoon 2FA phishing kit describes it as a phishing-as-a-service platform linked to more than 64,000 incidents this year, with Microsoft 365 and Gmail accounts as its primary targets. The kit relies on an adversary-in-the-middle setup that mirrors legitimate login pages and intercepts MFA codes and session cookies in real time, allowing attackers to access accounts even after multi-factor authentication is completed. Campaigns using Tycoon 2FA have been distributed through phishing emails as well as malicious PDF, SVG, and PowerPoint files, making the activity blend easily into normal workplace communications.

The big picture

Sherrod DeGrippo, Deputy CISO at Microsoft, said the real issue many organizations face is visibility into their own email environments. “The biggest takeaway for organizations is to treat email routing complexity as a risk factor. If you don’t fully understand how mail flows into your environment, attackers probably do,” she told Infosecurity Magazine. DeGrippo added that small behavioral changes still matter, noting that “one simple habit that helps is teaching users to question emails that create urgency without explanation, even if they appear to come from inside the company.”

FAQs

Why do emails that appear internal pose a higher risk?

Employees are more likely to trust messages that seem to come from within their own organization, especially when the sender address matches familiar internal domains.

What part do complicated routing setups play in these attacks?

Multiple hops through on-premises servers or third-party services can create gaps where spoof checks are weakened or bypassed.

What is phishing as a service, and why is it used here?

Phishing as a service platforms provide ready-made templates and infrastructure, allowing attackers to launch convincing campaigns with minimal technical effort.

Are all Microsoft 365 tenants vulnerable to this technique?

No. Microsoft said tenants with MX records pointing directly to Microsoft 365 are not exposed to this specific routing-based spoofing method.

What steps can organizations take to reduce exposure?

They can enforce DMARC reject and SPF hard fail policies, review and secure third-party connectors, disable unused direct send features, and regularly audit email routing configurations.