Microsoft Threat Intelligence has warned organizations about a resurgence of phishing campaigns that abuse complex email routing and poorly enforced spoofing protections to make malicious messages appear as if they were sent internally.
According to the tech giant, the technique has gained momentum since May 2025 and is being used broadly across industries rather than in highly targeted attacks.
The campaigns rely on gaps in Domain-based Message Authentication, Reporting, and Conformance (DMARC), Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM) controls.
When these safeguards are misconfigured, often in environments using third-party email gateways or on-premises mail servers, attackers can spoof an organization’s own domain and deliver carefully crafted phishing emails.
Microsoft emphasized that this technique has been misunderstood publicly. In its latest analysis, the company stated, “This vector is not, as has been publicly reported, a vulnerability of Direct Send, but rather takes advantage of complex routing scenarios and misconfigured spoof protections.”
Phishing-as-a-Service and Financial Fraud Risks
Microsoft also observed that many of these campaigns rely on phishing-as-a-service (PaaS) platforms, particularly Tycoon2FA, which provides ready-made templates and infrastructure for credential harvesting.
In October 2025 alone, Microsoft Defender for Office 365 reportedly blocked more than 13 million emails linked to Tycoon2FA, including messages spoofing internal domains.
Common lures include fake voicemail alerts, shared document notifications, human resources messages, and password expiration warnings. Some attacks go further, using adversary-in-the-middle (AitM) techniques to intercept credentials and bypass multifactor authentication (MFA).
More concerning for executives, Microsoft also identified spoofed emails used for financial scams. These messages often impersonate senior leaders or accounting teams and attempt to pressure recipients into paying fraudulent invoices. Successful attacks can lead to business email compromise (BEC), data theft, or irreversible financial losses.
Microsoft recommends that organizations with complex mail routing review connector configurations and enforce strict DMARC reject policies and SPF hard fails. Additional guidance on securing mail flow and authentication is available via the Microsoft Security Blog.
