This phishing campaign spoofs internal messages - here's what we know

News
By published

Crooks are abusing misconfigurations to trick victims

A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
(Image credit: weerapatkiatdumrong / Getty Images)
  • Misconfigured email servers let attackers spoof domains and bypass SPF, DKIM, and DMARC checks
  • Phishing emails mimic internal messages using kits like Tycoon2FA with HR or voicemail themes
  • Stolen credentials fuel secondary Business Email Compromise (BEC) attacks across broad, non-targeted campaigns

Cybercriminals are abusing misconfigurations in email servers to send highly convincing phishing emails and trick victims into sharing login credentials and other secrets. This is according to Microsoft who, in a recent report, said the practice isn’t new, but it did grow more popular in the second half of 2025.

In the paper, Microsoft explained that crooks are taking advantage of how some companies route email and how they set up their security checks. Normally, email systems use checks like SPF, DKIM, and DMARC to confirm that a message really comes from the organization it claims to be from.

In complex setups (such as when email passes through third-party services or on-prem servers) these checks are sometimes weak or not strictly enforced.

Fake voicemails and password resets

Attackers can then leverage it by sending emails from outside the company but using the company’s own domain as the sender. Because the system doesn’t fully reject failed checks, the email is accepted and marked as “internal.”

Criminals can also copy internal patterns, such as using an employee’s real address in both the sender and recipient fields or familiar display names like IT or HR.

The resulting message looks like a legitimate internal email, making it more likely for the victims to take the bait.

Microsoft says the attackers are using known phishing kits, such as Tycoon2FA, to create convincing lures, usually themed around voicemails, shared documents, communications from HR departments, password resets or expirations, and similar.

Finally, this doesn’t seem to be a targeted campaign. Instead, the attackers are casting as wide of a net as they can, trying to get as many login credentials and other secrets as possible. In some cases, they were able to obtain passwords to email accounts, and then use them in secondary, Business Email Compromise (BEC), attacks.

Via The Hacker News

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.