"This creates a security gap that attackers can exploit to send spoofed phishing messages that seem to originate from the tenant's own domain. The vast majority of phishing campaigns that leverage this approach have been found to make use of the Tycoon 2FA PhaaS kit. Microsoft said it blocked more than 13 million malicious emails linked to the kit in October 2025."
"While the attack vector is not necessarily new, the tech giant said it has witnessed a surge in the use of the tactic since May 2025 as part of opportunistic campaigns targeting a wide variety of organizations across multiple industries and verticals. This includes a campaign that has employed spoofed emails to conduct financial scams against organizations. A successful attack could allow threat actors to siphon credentials and leverage them for follow-on activities, ranging from data theft to business email compromise (BEC)."
Threat actors exploit misconfigured email routing and weak spoof protections to impersonate organizational domains and deliver messages that appear to originate internally. Phishing lures include voicemails, shared documents, HR communications, and password resets, often leading to credential theft. Campaigns have increasingly used plug-and-play phishing-as-a-service kits such as Tycoon 2FA across diverse industries since May 2025, including financial scams. Complex routing setups that point MX records to on-premises or third-party services before Microsoft 365 create exploitable security gaps. Successful compromises enable credential siphoning and follow-on activities ranging from data theft to business email compromise. More than 13 million malicious emails linked to Tycoon 2FA were blocked in October 2025.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]