Internal Trust, External Threat: Phishing Campaigns Exploit Email Routing Weaknesses

by | Jan 12, 2026 | 2025

Internal Trust, External Threat: Phishing Campaigns Exploit Email Routing Weaknesses

by | Jan 12, 2026

 

Microsoft has issued a warning that improperly configured email routing and weak spoofing protections can expose organizations to internal domain phishing attacks. According to Microsoft Threat Intelligence, attackers are exploiting complex mail routing setups to send emails that appear to originate from within an organization, increasing the likelihood that recipients will trust and engage with them.

The company reports a notable rise in this activity since May 2025, with campaigns observed across multiple industries. Many of these attacks leverage phishing-as-a-service (PhaaS) platforms, particularly Tycoon 2FA, to distribute messages disguised as routine internal communications. Common lures include voicemail notifications, shared documents, HR updates, and password reset alerts, all designed to harvest credentials.

The risk is highest in environments where mail flow is routed through on-premises Exchange servers or third-party services before reaching Microsoft 365, and where spoofing controls are not strictly enforced. This configuration can allow adversaries to bypass protections and impersonate the organization’s own domain. Microsoft noted it blocked more than 13 million emails associated with Tycoon 2FA in October 2025 alone.

Beyond credential theft, these campaigns can enable follow-on attacks such as data exfiltration, business email compromise, and financial fraud, including fake invoices and payment requests. To mitigate exposure, Microsoft recommends enforcing strict SPF and DMARC policies, correctly configuring third-party connectors, and disabling unnecessary features such as Direct Send. Organizations with MX records pointed directly to Microsoft 365 are not affected by this specific attack vector.

 

 

References:

https://thehackernews.com/2026/01/microsoft-warns-misconfigured-email.html

https://www.csoonline.com/article/4113746/microsoft-warns-of-a-surge-in-phishing-attacks-exploiting-email-routing-gaps.html

https://www.microsoft.com/en-us/security/blog/2026/01/06/phishing-actors-exploit-complex-routing-and-misconfigurations-to-spoof-domains/

 

________

 

One more thing, at Pfortner, we take communications privacy very seriously. We encrypt email, messaging and network communications to provide our clientele with uncompromised privacy.

If you need to protect sensitive communications, please see www.pfortner.co.za or send an email to info@pfortner.co.za, and we will get back to you.