- Misconfigured email servers let attackers spoof domains and bypass SPF, DKIM and DMARC checks
- Phishing emails impersonate internal messages using kits like Tycoon2FA with HR or voicemail themes
- Stolen credentials fuel secondary Business Email Compromise (BEC) attacks across broad, untargeted campaigns
Cybercriminals exploit misconfigurations in email servers to send highly convincing phishing emails and trick victims into sharing login credentials and other secrets. This is according to Microsoft, which said in a recent report that the practice is not new, but it became more popular in the second half of 2025.
In the paper, Microsoft explained that bad guys take advantage of how some companies route email and how they set up their security checks. Usually, email systems use checks like SPF, DKIM and DMARC to confirm that a message really comes from the organization it claims to be from.
In complex setups (such as when email passes through third-party services or local servers), these controls are sometimes weak or not strictly enforced.
Fake voicemails and password resets
Attackers can then exploit it by sending e-mails outside the company, but using the company’s own domain as the sender. Because the system does not fully reject failed checks, the email is accepted and marked as “internal”.
Criminals can also copy internal patterns, such as using an employee’s real address in both the sender and recipient fields, or familiar display names such as IT or HR.
The resulting message looks like a legitimate internal email, making victims more likely to take the bait.
Microsoft says the attackers use known phishing kits, such as Tycoon2FA, to create convincing lures, usually themed around voicemails, shared documents, communications from HR departments, password resets or expirations, and the like.
Finally, this does not appear to be a targeted campaign. Instead, the attackers cast as wide a net as they can, trying to get as many login credentials and other secrets as possible. In some cases, they were able to obtain passwords to email accounts and then use them in secondary Business Email Compromise (BEC) attacks.
Via Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
