- Misconfigured email servers let attackers spoof domains and bypass SPF, DKIM, and DMARC checks
- Phishing emails mimic internal messages using kits like Tycoon2FA with HR or voicemail themes
- Stolen credentials fuel secondary Business Email Compromise (BEC) attacks across broad, non-targeted campaigns
Cybercriminals are abusing misconfigurations in email servers to send highly convincing phishing emails and trick victims into sharing login credentials and other secrets. This is according to Microsoft who, in a recent report, said the practice isn’t new, but it did grow more popular in the second half of 2025.
In the paper, Microsoft explained that crooks are taking advantage of how some companies route email and how they set up their security checks. Normally, email systems use checks like SPF, DKIM, and DMARC to confirm that a message really comes from the organization it claims to be from.
In complex setups (such as when email passes through third-party services or on-prem servers) these checks are sometimes weak or not strictly enforced.
Fake voicemails and password resets
Attackers can then leverage it by sending emails from outside the company but using the company’s own domain as the sender. Because the system doesn’t fully reject failed checks, the email is accepted and marked as “internal.”
Criminals can also copy internal patterns, such as using an employee’s real address in both the sender and recipient fields or familiar display names like IT or HR.
The resulting message looks like a legitimate internal email, making it more likely for the victims to take the bait.
Microsoft says the attackers are using known phishing kits, such as Tycoon2FA, to create convincing lures, usually themed around voicemails, shared documents, communications from HR departments, password resets or expirations, and similar.
Finally, this doesn’t seem to be a targeted campaign. Instead, the attackers are casting as wide of a net as they can, trying to get as many login credentials and other secrets as possible. In some cases, they were able to obtain passwords to email accounts, and then use them in secondary, Business Email Compromise (BEC), attacks.
Via The Hacker News
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
