Misconfigured email routing enables internal-spoofed phishing

Misconfigured email routing enables internal-spoofed phishing

Pierluigi Paganini
January 07, 2026

Attackers exploit misconfigured email routing to spoof internal emails, using PhaaS platforms like Tycoon2FA to steal credentials.

Attackers exploit misconfigured email routing and spoof protections to send phishing emails appearing internal, using PhaaS platforms like Tycoon2FA to steal credentials.

“Phishing actors are exploiting complex routing scenarios and misconfigured spoof protections to effectively spoof organizations’ domains and deliver phishing emails that appear, superficially, to have been sent internally. Threat actors have leveraged this vector to deliver a wide variety of phishing messages related to various phishing-as-a-service (PhaaS) platforms such as Tycoon2FA.” reads the report published by Microsoft. “These include messages with lures themed around voicemails, shared documents, communications from human resources (HR) departments, password resets or expirations, and others, leading to credential phishing.”

Since May 2025, phishing attacks exploiting misconfigured email routing and spoof protections have increased. Microsoft reported opportunistic campaigns targeting multiple industries, sometimes for financial scams. Messages appear internal, boosting success. Office 365 tenants with correct MX records are protected, but others risk credential theft, BEC, or fund loss. Microsoft advises proper spoof protection and connector configuration to block these attacks.

Phishing attacks exploiting misconfigured email routing and spoof protections allow threat actors to send emails appearing from an organization’s own domain. Tenants with complex routing and MX records not pointed to Office 365, or lacking strict DMARC/SPF policies, are vulnerable.

“Setting strict Domain-based Message Authentication, Reporting, and Conformance (DMARC) reject and SPF hard fail (rather than soft fail) policies and properly configuring any third-party connectors will prevent phishing attacks spoofing organizations’ domains.” continues the report.

Attackers often use PhaaS platforms like Tycoon2FA, enabling credential theft, AiTM bypass of MFA, and financial scams. Office 365 tenants with properly configured MX records are protected.

Attackers exploit complex email routing and weak spoofing protections to send phishing emails that look like internal messages. These emails often use common themes such as HR notices, password resets, voicemails, or shared documents. A typical trick is using the same email address in both the “To” and “From” fields to appear legitimate.

Although the emails look internal, email headers show they come from external servers. Signs include SPF or DMARC failures, missing DKIM signatures, and headers indicating anonymous external delivery. In poorly configured environments, these failures may not block delivery, especially when third-party mail connectors are misconfigured.

Many campaigns redirect users through legitimate-looking links, such as Google Maps URLs, to attacker-controlled sites. Victims are shown fake CAPTCHA pages that lead to Tycoon2FA phishing pages designed to steal credentials, sometimes bypassing MFA. Proper DMARC, SPF hard fail, DKIM, and correct connector setup can prevent these attacks.

Microsoft Threat Intelligence has also observed financial scams delivered through spoofed emails that appear to come from inside an organization. These messages are designed to look like ongoing email threads involving senior staff, often impersonating the CEO, the accounting department, or a supplier requesting payment.

In the observed cases, weak email authentication settings allowed the scams to succeed. DMARC was set to “none,” meaning authentication failures were not enforced. As a result, spoofed emails sent from external IP addresses were delivered to inboxes, especially in environments where MX records do not point to Office 365.

The scam emails often use urgency to pressure victims, such as requesting quick payment to secure a discount. They typically use the same email address in both the “To” and “From” fields, with the CEO’s name shown as the display name to appear legitimate.

Attachments commonly include a fake invoice requesting payment to a fraudulent bank account, an IRS W-9 form using stolen personal data, and a fake bank letter to add credibility. Victims who pay may suffer significant and unrecoverable financial losses, as funds are quickly moved by attackers.

Organizations should enforce strict DMARC reject and SPF hard-fail policies and properly configure third-party mail connectors. Microsoft pointed out that tenants with MX records pointing directly to Office 365 are protected.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon