- Misconfigured email servers allow attackers to spoof domains and bypass SPF, DKIM, and DMARC checks.
- Phishing emails imitate internal messages using kits like Tycoon2FA with HR or voicemail themes
- Stolen credentials fuel Business Email Compromise (BEC) secondary attacks in broad, untargeted campaigns.
Cybercriminals abuse email server misconfigurations to send highly convincing phishing emails and trick victims into sharing their login credentials and other secrets. This is according to Microsoft, which in a recent report stated that this practice is not new, but that it has become more popular during the second half of 2025.
In the document, Microsoft explains that scammers are taking advantage of the way some companies route emails and configure their security controls. Normally, email systems use checks like SPF, DKIM, and DMARC to confirm that a message actually comes from the organization it claims to come from.
In complex setups (for example when email passes through third-party services or on-premises servers), these controls are sometimes weak or not strictly enforced.
Fake voicemails and password resets
Attackers can then take advantage of this by sending emails from outside the company, but using the company’s own domain as the sender. Since the system does not reject failed checks entirely, the email is accepted and marked as “internal.”
Criminals can also copy internal templates, such as using an employee’s real address in the sender and recipient fields or familiar display names like IT or HR.
The resulting message looks like a legitimate internal email, making it more likely that victims will take the bait.
Microsoft says attackers use known phishing kits, such as Tycoon2FA, to create convincing lures, usually around the theme of voicemails, shared documents, HR department communications, password resets or expirations, and more.
Ultimately, this does not appear to be a targeted campaign. Instead, attackers expand their network as wide as possible, trying to obtain as many login credentials and other secrets as possible. In some cases, they were able to obtain passwords for email accounts and then use them in secondary attacks, Business Email Compromise (BEC).
Via Hacker news
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
