Overview
- Microsoft’s latest advisory details a rise since May 2025 in campaigns that make phishing emails look like they came from inside a victim’s organization.
- Phishing-as-a-service kits such as Tycoon2FA power these operations, including adversary-in-the-middle flows to bypass MFA, with Microsoft blocking over 13 million Tycoon-linked emails in October 2025.
- Lures frequently mimic HR notices, password resets, voicemails or shared documents, and some scams push fraudulent payments using convincing invoices, W‑9 forms and fake bank letters.
- Although messages appear internal, headers often reveal external delivery with SPF or DMARC failures and missing DKIM, yet misconfigured third‑party connectors may still allow inbox delivery.
- Microsoft urges tenants to point MX records directly to Office 365, enforce DMARC reject with SPF hard fail and DKIM, correctly configure third‑party connectors, and disable unnecessary Direct Send, noting direct-to-Office 365 MX tenants are not exposed to this vector.