Executive Summary

Microsoft has issued a critical advisory highlighting a surge in sophisticated phishing campaigns that exploit misconfigured email routing and insufficient spoof protection within Microsoft 365 and hybrid Exchange environments. These attacks enable adversaries to send phishing emails that convincingly appear to originate from an organization’s own internal domain, thereby bypassing standard security controls and increasing the likelihood of successful credential theft, business email compromise (BEC), and financial fraud. The campaigns are opportunistic, targeting organizations across all sectors and geographies, and are frequently facilitated by Phishing-as-a-Service (PhaaS) platforms such as Tycoon2FA. The primary advanced persistent threat (APT) group associated with these attacks is Storm-1747. This report provides a comprehensive technical analysis, exploitation details, detection guidance, and actionable mitigation strategies to help organizations defend against this evolving threat.

Technical Information

The attack vector leverages weaknesses in email authentication and routing configurations, particularly in environments where MX records do not point directly to Office 365 or where DMARC, SPF, and DKIM policies are not strictly enforced. In such scenarios, attackers can inject emails into the organization’s mail flow that appear to be sent from legitimate internal addresses. These emails often use the same address in both the “To” and “From” fields, exploiting implicit trust in internal communications.

The technical mechanism involves adversaries identifying organizations with complex or misconfigured mail routing—such as those using on-premises Exchange servers, third-party security appliances, or custom connectors. Attackers then craft phishing emails that spoof the organization’s domain, exploiting lax or permissive DMARC, SPF, and DKIM settings. These emails are delivered to users’ inboxes, often bypassing anti-spam and anti-phishing filters due to the appearance of internal origin.

The campaigns are typically orchestrated via PhaaS platforms like Tycoon2FA, which provide adversary-in-the-middle (AiTM) phishing kits capable of intercepting credentials and session tokens, even in environments protected by multi-factor authentication (MFA). Common phishing lures include fake password expiration notices, fraudulent SharePoint or DocuSign document shares, HR communications, and financial scams such as fake invoices or wire transfer requests. Attackers also abuse Direct Send features in Microsoft 365 to deliver unauthenticated messages that appear as internal emails.

Technical indicators in email headers that may signal exploitation include SPF fail or softfail, DKIM none, DMARC fail or none, X-MS-Exchange-Organization-InternalOrgSender: True, X-MS-Exchange-Organization-MessageDirectionality: Incoming, and X-MS-Exchange-Organization-AuthAs: Anonymous.

Infrastructure used in these campaigns often includes attacker-controlled Windows Server 2022 hosts presenting valid or self-signed DigiCert SSL certificates, as well as compromised or misused third-party SMTP relays and virtual private servers (VPS) for message injection.

Exploitation in the Wild

Since May 2025, there has been a marked increase in exploitation of this attack vector, with widespread campaigns observed across all major sectors, including finance, healthcare, government, education, and manufacturing. The attacks are global in scope, with no specific regional focus, and are opportunistically targeting organizations in North America, EMEA, APAC, and Latin America.

Threat actors are leveraging Tycoon2FA and similar PhaaS platforms to automate and scale their operations. These platforms provide ready-made phishing kits that can bypass MFA by intercepting authentication tokens in real time. The phishing lures are highly tailored, often mimicking legitimate business processes such as password resets, document approvals, and financial transactions. Some campaigns have been observed impersonating C-level executives or accounting departments to initiate fraudulent wire transfers or invoice payments.

Attackers are also exploiting unsecured third-party email security appliances as SMTP relays, as well as abusing Microsoft 365’s Direct Send feature to deliver spoofed emails. The use of valid or self-signed SSL certificates on attacker infrastructure further complicates detection and attribution.

APT Groups using this vulnerability

The primary APT group associated with these campaigns is Storm-1747, as referenced by Microsoft. Storm-1747 is known for its use of adversary-in-the-middle phishing techniques and its reliance on the Tycoon2FA platform. In addition to Storm-1747, other opportunistic cybercriminal groups and PhaaS operators have been observed leveraging this vulnerability to conduct credential harvesting, BEC, and financial fraud. The commoditization of AiTM phishing kits has lowered the barrier to entry, enabling a broader range of threat actors to exploit misconfigured email routing and authentication.

Affected Product Versions

The vulnerability affects the following product versions and configurations:

Microsoft 365 Exchange Online tenants whose MX records do not point directly to Office 365 and who have not strictly enforced DMARC, SPF, and DKIM policies are at risk. This includes organizations with hybrid Microsoft Exchange deployments, where on-premises Exchange Server 2016, Exchange Server 2019, or earlier versions are used in conjunction with Microsoft 365, and where complex routing or third-party mail gateways are present before delivery to Microsoft 365.

Any Microsoft 365 tenant using third-party mail gateways, security appliances, or custom connectors that alter mail flow and do not enforce strict anti-spoofing policies is also vulnerable.

Organizations whose MX records point directly to Office 365 and who have strict DMARC/SPF/DKIM enforcement are not affected by this specific attack vector.

Workaround and Mitigation

To mitigate the risk of internal domain phishing via misconfigured email routing, organizations should take the following actions:

Strictly enforce DMARC with a reject policy, SPF with a hard fail, and DKIM for all domains. Ensure that MX records point directly to Office 365 wherever possible, minimizing the use of third-party relays or complex routing. Properly configure all third-party connectors and mail flow rules to prevent unauthorized message injection. Monitor for emails with identical “To” and “From” fields from internal domains, as this is a common indicator of spoofing. Educate users to recognize suspicious internal emails, especially those containing urgent financial requests or prompts for credential input. Deploy phishing-resistant MFA solutions such as FIDO2, Windows Hello, or authenticator passkeys for all users, with a focus on privileged accounts. Regularly review and update mail flow and authentication policies to ensure compliance with best practices. If the Direct Send feature is not required, enable “Reject Direct Send” via PowerShell using the following command:Set-OrganizationConfig -RejectDirectSend $true

Detection can be enhanced by leveraging Microsoft Defender XDR or Sentinel with queries designed to identify potentially spoofed emails and messages with failed authentication. Example queries are provided in the technical section above.

References

Microsoft Security Blog: Phishing actors exploit complex routing and misconfigurations to spoof domains (Jan 2026),The Hacker News: Microsoft Warns Misconfigured Email Routing Can Enable Internal Domain Phishing,Proofpoint: Attackers Abuse M365 for Internal Phishing,Blackpoint Cyber: Direct Send Abuse in the Wild,CSO Online: Microsoft warns of a surge in phishing attacks exploiting email routing gaps,MITRE ATT&CK: T1566.001, T1566.002, T1114, T1078, T1192, T1556, T1110,Microsoft: Manage mail flow using a third-party cloud service with Exchange Online,Microsoft: Set up SPF, DKIM, and DMARC,Microsoft: Enhanced filtering for connectors in Exchange Online

Rescana is here for you

Rescana is committed to empowering organizations with actionable threat intelligence and robust third-party risk management. Our TPRM platform enables you to continuously monitor, assess, and mitigate cyber risks across your entire digital supply chain. We provide real-time insights, automated risk scoring, and comprehensive reporting to help you stay ahead of emerging threats. For any questions about this advisory or to discuss how Rescana can support your cybersecurity strategy, please contact us at ops@rescana.com.