- Attackers use complex mail routing and weak spoof protections to send emails that appear to come from inside an organization.
- Phishing-as-a-service kits, notably Tycoon 2FA, power many of these campaigns; over 13 million linked messages were blocked in October 2025.
- Scams include credential theft and invoice fraud with forged invoices, W-9 forms, and fake bank letters.
- Organizations should enforce strict email authentication (DMARC reject, SPF hard fail) and correctly configure third-party connectors and Direct Send settings.
First paragraph: The Microsoft Threat Intelligence team said attackers have exploited complex mail routing and misconfigured spoof protections since May 2025 to send phishing messages that look internal, targeting organizations across industries (said). These messages aim to capture credentials and enable follow-on activity including data theft and business email compromise.
Threat actors delivered lures such as voicemails, shared documents, HR notices, and password resets using phishing-as-a-service (PhaaS) platforms. "Threat actors have leveraged this vector to deliver a wide variety of phishing messages related to various phishing-as-a-service (PhaaS) platforms such as Tycoon 2FA," the team noted, linking many campaigns to the Tycoon 2FA kit (analysis, overview). Microsoft blocked more than 13 million malicious emails tied to the kit in October 2025.
The threat exploits setups where a tenant’s MX record points to an on-premises Exchange server or a third-party service before reaching Office 365. In such cases, spoof protections can fail and attackers can send emails with the same address in the "To" and "From" fields to increase trust. Phishing messages have also impersonated services like DocuSign or HR communications and included attachments or QR codes to push victims to phishing pages.
Financial scams often mimic exchanges among a CEO, accounting, or a vendor and include three attachments: a fake invoice, an IRS W-9 form, and a counterfeit bank letter. "They may employ clickable links in the email body or QR codes in attachments or other means of getting the recipient to navigate to a phishing landing page," the report added.
Defenses recommended include enforcing strict DMARC reject and SPF hard-fail policies (DMARC, SPF guidance), and properly configuring third-party connectors (how to manage mail flow). Tenants with MX records pointed directly to Office 365 are not vulnerable to this vector, and organizations are advised to turn off Direct Send when not needed and to reject spoofed emails. Additional context on rising PhaaS activity is available from industry posts (Trellix, Cybersecurity-101/topic/phishing-as-a-service”>Huntress).
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- US-Venezuela Tensions Drive Investors Into Bitcoin, Gold Now
- ETF Inflows, Outflows and Stablecoins Fuel Bitcoin Surge Now
- RAKBank Secures CBUAE Nod for AED-Backed Stablecoin Rollout.
- SEC Approves Bitwise Chainlink ETF, LINK Heads to NYSE Live!
- Jensen Huang: Bitcoin stores energy, AI a universal currency
