Microsoft is warning of rising phishing campaigns that spoof organizations’ own domains, making internal-looking emails. These attacks take advantage of misconfigured email routing and weak authentication settings, rather than a flaw in Microsoft 365 itself.
The warning comes from a Microsoft Threat Intelligence report, “Phishing actors exploit complex routing and misconfigurations to spoof domains”, which details how attackers leverage permissive email policies to bypass spoofing protections.
The technique has grown since mid-2025 and scaled through phishing-as-a-service (PhaaS) platforms. Data from Microsoft shows the threat’s scale: Defender for Office 365 blocked over 13 million emails tied to Tycoon2FA, a PhaaS platform that automates internal-looking campaigns, in October 2025 alone.
How Phishing Campaigns Pose as Internal Emails
According to the report, attackers are increasingly sending phishing emails that appear to come from their own organization’s domain. The messages often use the same address in both the “From” and “To” fields, often combined with manipulated display names, to mimic internal senders, making them harder for recipients to identify as malicious.
The campaigns are largely opportunistic. Typically, they exploit routine workplace tasks, such as voicemail alerts, shared files, HR notifications, and password reset requests. Many attacks are tied to PhaaS platforms, which employ adversary-in-the-middle techniques to capture credentials and session tokens, bypassing traditional multi-factor authentication.
Other campaigns focus on business email compromise, spoofing executives or finance staff to request fraudulent payments supported by fake invoices and documents.
Microsoft Threat Intelligence warns that such emails reach inboxes when organizations’ mail routing and authentication configurations fail to block spoofed messages.
Misconfigured Email Routing and Authentication Policies Drive Risk
Microsoft Threat Intelligence said the rise in these attacks is linked to complex routing and hybrid email environments, which have become more common as organizations move workloads to the cloud while retaining on-premises systems and third-party gateways.
Tenants with direct-to-Office 365 MX records and strict authentication policies are mostly protected, while those with permissive SPF, DKIM, or DMARC settings are vulnerable, according to the report.
Organizations should review routing, reduce unnecessary complexity, and enforce authentication policies—including SPF, DKIM, and DMARC set to reject or quarantine. Identity protections remain essential, as adversary-in-the-middle phishing can bypass standard multi-factor authentication.
Overall, Microsoft’s report underscores that email security, identity hardening, and configuration hygiene must be treated as a single control plane, rather than separate responsibilities, ensuring that internal trust assumptions do not become a liability.
What This Means for ERP Insiders
Phishing-as-a-service is automating attacks at scale. PhaaS platforms like Tycoon2FA are turning internal-looking phishing into a scalable, automated threat. Enterprises face growing exposure as attackers exploit these services to bypass multi-factor authentication and target high-value credentials and financial workflows.
Enterprise cloud migration is widening the attack surface. Hybrid email environments and complex routing, increasingly common during these migrations, can create systemic vulnerabilities. Misconfigured authentication and routing policies turn internal-looking phishing into an operational gap that attackers can exploit during and after migrations.
Email and identity security must evolve together. Traditional protections alone are no longer enough to stop sophisticated internal-looking phishing. Organizations need integrated defenses—strict SPF/DKIM/DMARC, multi-factor or passwordless authentication, simplified routing, and regular staff training—to reduce risk.
