- Misconfigured mail servers allow attackers to spoof domains and bypass SPF, DKIM, and DMARC checks.
- Phishing emails imitate internal messages using kits such as Tycoon2FA with HR or voicemail subject lines.
- Stolen credentials facilitate secondary business email compromise (BEC) attacks in large-scale untargeted campaigns.
Cybercriminals abuse misconfigurations mail servers send highly convincing phishing emails and trick victims into sharing login credentials and other secrets. This is according to Microsoft who in a recent report stated that the practice is not new, but has become more popular in the second half of 2025.
In the document, Microsoft explained that scammers are taking advantage of the way some companies route email and how they set up security checks. Typically, email systems use checks such as SPF, DKIM, and DMARC to confirm that the message actually came from the organization it claims to be from.
In complex configurations (for example, when email passes through third-party services or local servers), these checks are sometimes weak or not strictly enforced.
Fake voice messages and password reset
Attackers can then take advantage of this by sending emails from outside the company, but using the company's own domain as the sender. Because the system does not completely reject failed checks, the email is accepted and marked as “internal”.
Criminals can also copy internal patterns, such as using an employee's real address in the sender and recipient fields, or familiar display names such as IT or HR.
The message received appears to be a legitimate internal email, making victims more likely to fall for the bait.
Microsoft says attackers use well-known phishing kits such as Tycoon2FA to create convincing lures, typically related to voicemail, shared documents, messages from HR departments, password resets or expirations, and the like.
Finally, this does not appear to be a targeted campaign. Instead, attackers cover as wide a network as possible, trying to obtain as many credentials and other secrets as possible. In some cases, they were able to obtain passwords for email accounts and then use them in secondary attacks aimed at business email compromise (BEC).
By using Hacker news
The best antivirus for any budget
Follow TechRadar on Google News. And add us as your preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the “Subscribe” button!
And of course you can also Follow TechRadar on TikTok. for news, reviews, unboxing videos and get regular updates from us on whatsapp too much.
