Phishing attacks are becoming increasingly insidious, to the point of perfectly mimicking internal corporate communications . This is the alarm raised by Microsoft, which has observed a significant increase in malicious emails capable of masquerading as legitimate messages sent by colleagues, HR departments, or company executives.
According to Microsoft Threat Intelligence , cybercriminals are exploiting misconfigurations in Microsoft 365 email systems and complex email routing schemes to bypass anti-spoofing controls. The problem arises specifically when a domain’s MX record doesn’t point directly to Microsoft 365, but instead passes through on-premises Exchange servers or third-party email services.
In this security vacuum, sender authenticity checks can be less effective. The result is dangerous: emails with spoofed addresses belonging to the same organization’s domain manage to bypass filters and appear as internal communications. In some cases, the “From” and “To” fields match, further reinforcing the illusion of legitimacy.
Microsoft reports that this technique has been used in opportunistic campaigns active since at least May 2025, targeting organizations across various sectors. The emails often link to pages designed to steal credentials and are linked to phishing-as-a-service (PHAaS) platforms, particularly the Tycoon 2FA toolkit.
In October 2025 alone, the Redmond company blocked over 13 million malicious messages associated with this infrastructure.
PhaaS platforms dramatically lower the entry threshold for cybercriminals by offering ready-made templates, hosting, and advanced tools, including Adversary-in-the-Middle (AitM) attacks that can bypass multi-factor authentication.
The emails’ content is designed to sound credible and “office-like”: voice messages, shared documents, HR communications, password reset requests, or expiration notices. Financial scenarios are particularly insidious, where victims are pressured into paying nonexistent invoices.
The emails may appear to be a follow-up conversation with the CEO or accounting department and include realistic attachments: large invoices, W-9 forms with bank details, and even fake bank confirmation letters.
The consequences are typical of successful phishing: stolen credentials, compromised email accounts and company documents, and even Business Email Compromise (BEC) cases with significant financial damage.
Microsoft emphasizes one key point, however: if your domain’s MX record points directly to Microsoft 365, this type of complex routing-based spoofing is not effective.
To reduce risk, the company recommends strengthening email security configurations: implementing strict DMARC policies in “reject” mode, configuring SPF with hard fail, carefully testing connectors to third-party services (such as anti-spam or archiving), and disabling Direct Send unless absolutely necessary to block emails attempting to impersonate the company domain.
In short, even emails that “appear to come from within” should never be trusted by default. In the new threat landscape, blind trust has become a luxury that companies can no longer afford.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
