Ddos 
A phishing message uses a “password expiration” lure masquerading as a communication from Microsoft.
A wave of sophisticated phishing attacks is hitting organizations by exploiting a classic weakness: the trust users place in emails that appear to come from their own colleagues. A new report from Microsoft Threat Intelligence details how threat actors are leveraging complex mail routing scenarios to bypass security filters and deliver convincing “internal” emails that are anything but.
The campaign, which has seen a sharp uptick since May 2025, capitalizes on misconfigured spoof protections in organizations that do not route their mail directly through Office 365.
The core of this attack vector lies in the infrastructure, not a software bug. Attackers are targeting tenants with specific configurations—namely, those whose MX records point to on-premises Exchange servers or third-party gateways rather than directly to Microsoft 365.
“Phishing actors are exploiting complex routing scenarios and misconfigured spoof protections to effectively spoof organizations’ domains and deliver phishing emails that appear, superficially, to have been sent internally,” the report states.
Microsoft clarifies that this is not a vulnerability in its “Direct Send” feature, as previously rumored, but rather a manipulation of how emails are authenticated in complex environments. “The phishing attack vector covered in this blog post does not affect customers whose Microsoft Exchange mail exchanger (MX) records point to Office 365; these tenants are protected by native built-in spoofing detections”.
The attacks are being powered by the booming “Phishing-as-a-Service” (PhaaS) economy. Microsoft researchers observed that “the bulk of phishing campaigns observed using this attack vector employ the Tycoon2FA PhaaS platform”.
This platform provides attackers with ready-made toolkits to execute Adversary-in-the-Middle (AiTM) attacks, capable of bypassing multi-factor authentication. In October 2025 alone, Microsoft blocked over 13 million malicious emails linked to Tycoon2FA.
The lures are varied but designed to trigger immediate action:
- HR Communications: Messages regarding salary or benefits changes.
- IT Alerts: Password expiration notifications masquerading as Microsoft or Docusign.
- Voicemails: Fake notifications prompting users to click malicious links.
Beyond credential theft, the report highlights a disturbing trend of financial fraud. Attackers are crafting emails that look like legitimate internal threads involving high-level executives.
“Microsoft Threat Intelligence has also observed emails intended to trick organizations into paying fake invoices, potentially leading to financial losses”.
In one detailed example, attackers spoofed a thread between a company’s CEO and an external vendor, forwarding it to the accounting department. To add credibility, the emails included convincing attachments: “The first is the fake invoice requesting several thousand dollars… The second attachment is an IRS W-9 form… The third attachment is a fake ‘bank letter’ ostensibly provided by an employee at the online bank”.
To defend against this, Microsoft urges administrators to stop relying on implicit trust and start enforcing explicit authentication.
“Setting strict Domain-based Message Authentication, Reporting, and Conformance (DMARC) reject and SPF hard fail (rather than soft fail) policies and properly configuring any third-party connectors will prevent phishing attacks spoofing organizations’ domains”.
Related Posts:
- New Phishing-as-a-Service Kits Bypass MFA & Target Microsoft 365 Users Globally!
- North Korean APT Group Kimsuky Exploits DMARC Misconfigurations for Sophisticated Phishing Attacks
- Critical Vulnerability in Hosted Email Services Exposes Users to Spoofing Attacks
- North Korean Hackers Hone Social Engineering Skills, Abuse DMARC to Target Foreign Policy Experts
Donate