- Misconfigured email servers allow attackers to spoof domains and bypass SPF, DKIM, and DMARC checks.
- Phishing emails mimic internal messages using kits like Tycoon2FA with HR or voicemail themes.
- Stolen credentials fuel secondary business email compromise (BEC) attacks on broad, untargeted campaigns
Cybercriminals are abusing misconfigurations on email servers to send highly convincing phishing emails and trick victims into sharing their login credentials and other secrets. This is according to Microsoft who, in a recent report, said the practice is not new, but became more popular in the second half of 2025.
In the document, Microsoft explained that criminals are taking advantage of how some companies route email and how they configure their security controls. Typically, email systems use checks such as SPF, DKIM, and DMARC to confirm that a message actually comes from the organization it claims to come from.
In complex setups (such as when email passes through third-party services or local servers), these checks are sometimes weak or not strictly enforced.
Fake voicemails and password resets
Attackers can then take advantage of this by sending emails from outside the company but using the company’s own domain as the sender. Because the system does not completely reject failed checks, the email is accepted and marked as “internal.”
Criminals can also copy internal patterns, such as using an employee’s real address in the sender and recipient fields or familiar display names such as IT or HR.
The resulting message looks like a legitimate internal email, making victims more likely to take the bait.
Microsoft says attackers are using well-known phishing kits, such as Tycoon2FA, to create convincing lures, usually related to voicemails, shared documents, communications from human resources departments, password resets or expirations, and the like.
Finally, this does not appear to be a targeted campaign. Instead, attackers are casting as wide a net as possible, trying to obtain as many login credentials and other secrets as possible. In some cases, they were able to obtain passwords for email accounts and then use them in secondary attacks, Business Email Compromise (BEC).
Through Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
