Microsoft warns of rising phishing threats using domain spoofing

What happened

Microsoft’s security team is warning about a growing phishing tactic where cybercriminals exploit complex email routing and misconfigured spoof-protection to send deceptive emails that appear to be from within an organization. According to a new Microsoft Threat Intelligence report, these messages are designed to look like legitimate internal communications.

According to the report, this technique has been observed since May 2025 and has been used broadly across industries rather than targeting specific organizations.

Going deeper

The threat exploits vulnerabilities that aren’t intrinsic flaws in Microsoft products but rather email infrastructure misconfigurations. Specifically, when an organization has complex mail routing, such as MX records that don’t point directly to Microsoft 365 or routing through third-party systems, and lacks strict anti-spoofing protections, attackers can inject phishing emails that appear internal.

These spoofed emails often show the same sender and recipient addresses or use internal display names, making them far more convincing than typical external phishing attempts. The underlying weaknesses involve improperly enforced DMARC, SPF, and DKIM policies that fail to block malicious senders across all mail flow paths.

The report notes that organizations whose MX records point directly to Office 365 are protected by Microsoft’s spoofing detection and aren’t vulnerable to this specific attack vector.

Microsoft also clarifies that this is not a flaw in Direct Send but rather a consequence of misconfiguration in routing and spoof protections.

What was said

In the published blog, Microsoft Threat Intelligence explained that “Threat actors are exploiting complex routing scenarios and misconfigured spoof protections to effectively spoof organizations’ domains and deliver phishing emails that appear, superficially, to have been sent internally.”

The report reveals that many of the observed campaigns use phishing-as-a-service (PhaaS) platforms such as Tycoon2FA to generate large volumes of spoofed phishing emails, including credential harvesting lures and adversary-in-the-middle techniques designed to bypass multi-factor authentication (MFA) protections.

It also explains how these messages often imitate common internal messages, such as password resets, HR notifications, shared documents, or voicemail alerts, increasing their likelihood of success.

In the know

Tycoon2FA is a phishing-as-a-service (PhaaS) platform designed to bypass MFA on email services such as Microsoft 365 and Gmail by intercepting login credentials and authentication codes in real time using adversary-in-the-middle techniques. It was recently discovered to be actively used in large-scale phishing campaigns, where attackers deploy convincing login pages and trusted email lures to hijack user sessions even after MFA is successfully completed.

Go deeper: Tycoon 2FA phishing kit bypasses MFA protections on Microsoft 365 and Gmail

Why it matters

Emails that appear to come from inside an organization are far more likely to be trusted and acted upon by employees. When combined with tools like Tycoon2FA, which can bypass MFA on major platforms like Microsoft 365 and Gmail, attackers gain a powerful advantage. Even strong MFA protections no longer guarantee account safety if phishing kits intercept credentials and authentication codes in real time.

For healthcare organizations and other sectors handling sensitive data, this means that compromised email accounts can lead to serious consequences such as unauthorized access to protected health information (PHI), business email compromise, and costly data breaches.

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQS

What is domain spoofing in emails?

Domain spoofing is a cyberattack tactic where attackers forge the sender address in an email to make it look like it was sent from a legitimate domain, often the victim’s own organization, to increase trust and the likelihood of the email being opened or acted upon.

What role does email routing configuration play in security?

Proper email routing configuration ensures that email authentication checks are enforced consistently, preventing attackers from exploiting routing gaps to send spoofed emails.

What is phishing-as-a-service (PhaaS)?

PhaaS is a business model where phishing kits or platforms are sold or rented out to criminals, enabling even less technically skilled attackers to launch sophisticated phishing campaigns.

What are SPF, DKIM, and DMARC, and why are they important?

SPF, DKIM, and DMARC are email authentication protocols that help verify if an email is legitimately sent from the claimed domain. Proper configuration helps prevent spoofing and phishing.