A surge in phishing attacks which exploit email routing settings and misconfigured domain spoofing protections to spoof domains and make malicious emails appear as if they were sent from within the organization are targeting Microsoft 365 accounts.
Microsoft Threat Intelligence has warned that the attacks are themed around phoney messages from HR departments and IT security teams and are being deployed in attempts to steal login credentials.
While the attack vector isn’t new, Microsoft said there’s been a significant rise in attacks deploying these techniques since May 2025 and they’re commonly used in conjunction with phishing-as-a-service kits like Typhoon2FA.
These phishing emails have been sent to a wide range of organizations across many different industries, leading researchers to conclude that they’re opportunistic in nature rather than targeted, but that doesn’t make them less of a threat.
In fact, because the emails look like they’ve been sent from within the organization, “phishing messages sent through this vector may be more effective,” said Microsoft.
The company also noted that the spoofing attacks only affect organizations which have custom configured a complex routing scenario where the Microsoft Mail Exchange (MX) records are not pointed to Office 365, with spoofing protections which have not been properly configured.
What makes these campaigns particularly risky is how the attackers can make the emails look like they’ve come from within the same organization as the intended target, using the company’s domain in the ‘To’ and ‘From’ fields.
According to Microsoft, this is possible because the tenant organization has misconfigured their MX records, so they’re not pointed directly at Microsoft 365 – which means that Microsoft’s spoof detection and email filtering tools aren’t turned on by default. Tenants with MX records which point directly to Office 365 are not vulnerable to this attack vector.
These authentication failures mean that attackers can exploit the permissive nature of the mail server, enabling malicious messages to masquerade as coming from within an organization.
Stolen passwords, CEO fraud and more
Examples of phishing messages sent as part of these campaigns include messages requiring documents to be signed, emails claiming that passwords need to be updated – taking the user to a phony login portal which attackers use to steal credentials – or even fake invoices claiming to be from the company CEO requesting payments of thousands of dollars be made for purchases.
The spoofing of internal domains means the target is more likely to believe the message really does come from one of their colleagues.
“Successful credential compromise through phishing attacks may lead to data theft or business email compromise (BEC) attacks against the affected organization or partners and may require extensive remediation efforts, and/or lead to loss of funds in the case of financial scams,” Microsoft warned.
The company suggested that MX servers should be correctly configured to point directly to Office 365 servers, so they are not vulnerable to this method of domain spoofing.
It’s also recommended that companies apply strict domain-based message authentication, reporting, and conformance (DMARC) rules to help prevent domain spoofing, as well as ensuring any third-party services linked to MX are configured correctly. Multi-factor authentication (MFA) is also suggested to help prevent account takeover.
“Microsoft recommends enforcing phishing-resistant MFA for privileged roles in Microsoft Entra ID to significantly reduce the risk of account compromise.”
