Microsoft Warns Misconfigured Email Routing Can Enable Internal Domain Phishing

Jan 07, 2026Ravie LakshmananEmail Security / Financial Fraud

Threat actors engaging in phishing attacks are exploiting routing scenarios and misconfigured spoof protections to impersonate organizations’ domains and distribute emails that appear as if they have been sent internally.

“Threat actors have leveraged this vector to deliver a wide variety of phishing messages related to various phishing-as-a-service (PhaaS) platforms such as Tycoon 2FA,” the Microsoft Threat Intelligence team said in a Tuesday report. “These include messages with lures themed around voicemails, shared documents, communications from human resources (HR) departments, password resets or expirations, and others, leading to credential phishing.”

While the attack vector is not necessarily new, the tech giant said it has witnessed a surge in the use of the tactic since May 2025 as part of opportunistic campaigns targeting a wide variety of organizations across multiple industries and verticals. This includes a campaign that has employed spoofed emails to conduct financial scams against organizations.

A successful attack could allow threat actors to siphon credentials and leverage them for follow-on activities, ranging from data theft to business email compromise (BEC).

The problem manifests primarily in scenarios where a tenant has configured a complex routing scenario and spoof protections are not strictly enforced. An example of complex routing involves pointing the mail exchanger record (MX record) to either an on-premises Exchange environment or a third-party service before reaching Microsoft 365

This creates a security gap that attackers can exploit to send spoofed phishing messages that seem to originate from the tenant’s own domain. The vast majority of phishing campaigns that leverage this approach have been found to make use of the Tycoon 2FA PhaaS kit. Microsoft said it blocked more than 13 million malicious emails linked to the kit in October 2025.

PhaaS toolkits are plug-and-play platforms that allow fraudsters to create and manage phishing campaigns easily, making it accessible even for those with limited technical skills. They provide features like customizable phishing templates, infrastructure, and other tools to facilitate credential theft and circumvent multi-factor authentication using adversary-in-the-middle (AiTM) phishing.

The Windows maker said it has also spotted emails intended to trick organizations into paying bogus invoices, potentially leading to financial losses. The spoofed messages also impersonate legitimate services like DocuSign or claim to be from HR regarding salary or benefits changes.

Phishing emails propagating financial scams often resemble a conversation between the CEO of the targeted organization, an individual requesting payment for services provided, or the firm’s accounting department. They also contain three attached files to lend the scheme a false sense of trust –

• A fake invoice for thousands of dollars to be wired to a bank account
• An IRS W-9 form listing the name and social security number of the individual used to set up the bank account
• A fake bank letter was allegedly provided by an employee at the online bank used to set up the fraudulent account

“They may employ clickable links in the email body or QR codes in attachments or other means of getting the recipient to navigate to a phishing landing page,” it added. “The appearance of having been sent from an internal email address is the most visible distinction to an end user, often with the same email address used in the ‘To’ and ‘From’ fields.”

To counter this risk, organizations are advised to set strict Domain-based Message Authentication, Reporting, and Conformance (DMARC) reject and Sender Policy Framework (SPF) hard fail policies and properly configure third-party connectors, such as spam filtering services or archiving tools.

It’s worth noting that tenants with MX records pointed directly to Office 365 are not vulnerable to the attack vector. Additionally, it’s recommended to turn off Direct Send if not necessary to reject emails spoofing the organization’s domains.