Microsoft’s Threat Intelligence team warned Tuesday in a security blog post that threat actors are exploiting complex mail routing and misconfigured spoof protections to send messages that appear to come from internal addresses, and that more than 13 million malicious emails linked to the Tycoon 2FA phishing kit were blocked in October 2025.
KEY FACTS
- Incident Email spoofing that appears to originate from the target domain
- Scale More than 13 million malicious messages blocked in October 2025
- Timeline Use of the tactic surged from May 2025
- Vector Complex MX routing combined with weak spoof protections
Phishing campaigns use routing scenarios where a tenant points its MX record to an on-premises Exchange server or a third-party service before mail reaches Microsoft 365. That path can create a gap when spoof protections are not strictly enforced.
Attackers commonly use plug-and-play phishing platforms to build campaigns. Those platforms provide templates and infrastructure that can capture credentials and bypass multi-factor authentication using adversary-in-the-middle techniques.
Some campaigns impersonate internal senders or legitimate services and attempt financial fraud. Messages often include a fake invoice, an IRS W-9 form, and a fake bank letter to persuade recipients to wire funds.
Recommended mitigations include enforcing strict DMARC reject and SPF hard fail policies, properly configuring third-party connectors, and disabling Direct Send if it is not required. Tenants with MX records pointed directly to Office 365 are not vulnerable to this specific routing gap.
WHY IT MATTERS
The technique makes phishing messages harder for users to spot and increases the risk of credential theft, business email compromise, and financial loss. Organizations using complex mail routing should verify email authentication and connector settings to reduce exposure.