Microsoft Warns Misconfigured Email Routing Can Enable Internal Domain Phishing - The Hacker News

Microsoft Warns Misconfigured Email Routing Can Enable Internal Domain Phishing Ravie LakshmananJan 07, 2026Email Security / Financial Fraud Threat actors engaging in phishing attacks are exploiting routing scenarios and misconfigured spoof protections to impersonate organizations' domains and distribute emails that appear as if they have been sent internally. "Threat actors have leveraged this vector to deliver a wide variety of phishing messages related to various phishing-as-a-service (PhaaS) platforms such as Tycoon 2FA," the Microsoft Threat Intelligence team said in a Tuesday report. "These include messages with lures themed around voicemails, shared documents, communications from human resources (HR) departments, password resets or expirations, and others, leading to credential phishing." While the attack vector is not necessarily new, the tech giant said it has witnessed a surge in the use of the tactic since May 2025 as part of opportunistic campaigns targeting a wide variety of organizations across multiple industries and verticals. This includes a campaign that has employed spoofed emails to conduct financial scams against organizations. A successful attack could allow threat actors to siphon credentials and leverage them for follow-on activities, ranging from data theft to business email compromise (BEC). The problem manifests primarily in scenarios where a tenant has configured a complex routing scenario and spoof protections are not strictly enforced. An example of complex routing involves pointing the mail exchanger record (MX record) to either an on-premises Exchange environment or a third-party service before reaching Microsoft 365 This creates a security gap that attackers can exploit to send spoofed phishing messages that seem to originate from the tenant's own domain. The vast majority of phishing campaigns that leverage this approach have been found to make use of the Tycoon 2FA PhaaS kit. Microsoft said it blocked more than 13 million malicious emails linked to the kit in October 2025. PhaaS toolkits are plug-and-play platforms that allow fraudsters to create and manage phishing campaigns easily, making it accessible even for those with limited technical skills. They provide features like customizable phishing templates, infrastructure, and other tools to facilitate credential theft and circumvent multi-factor authentication using adversary-in-the-middle (AiTM) phishing. The Windows maker said it has also spotted emails intended to trick organizations into paying bogus invoices, potentially leading to financial losses. The spoofed messages also impersonate legitimate services like DocuSign or claim to be from HR regarding salary or benefits changes. Phishing emails propagating financial scams often resemble a conversation between the CEO of the targeted organization, an individual requesting payment for services provided, or the firm's accounting department. They also contain three attached files to lend the scheme a false sense of trust - A fake invoice for thousands of dollars to be wired to a bank account An IRS W-9 form listing the name and social security number of the individual used to set up the bank account A fake bank letter was allegedly provided by an employee at the online bank used to set up the fraudulent account "They may employ clickable links in the email body or QR codes in attachments or other means of getting the recipient to navigate to a phishing landing page," it added. "The appearance of having been sent from an internal email address is the most visible distinction to an end user, often with the same email address used in the 'To' and 'From' fields." To counter this risk, organizations are advised to set strict Domain-based Message Authentication, Reporting, and Conformance (DMARC) reject and Sender Policy Framework (SPF) hard fail policies and properly configure third-party connectors, such as spam filtering services or archiving tools. It's worth noting that tenants with MX records pointed directly to Office 365 are not vulnerable to the attack vector. Additionally, it's recommended to turn off Direct Send if not necessary to reject emails spoofing the organization's domains. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  business email compromise, Cloud security, cybersecurity, Domain Spoofing, email security, Financial Fraud, identity theft, Microsoft 365, Phishing, Threat Intelligence Trending News Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware Popular Resources Identity Controls Checklist: Find Missing Protections in Apps Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026 Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps