Jan 08, 2026
3 min read
Phishers spoof internal emails using routing errors, sending voicemails and HR lures via Tycoon2FA to steal credentials.
Fraudsters use complex routing scripts and misconfigured security measures to send fake emails that appear to come from within the organization.
These emails appear to be sent internally, making them difficult to trace.Threat actors have used this method to deliver various phishing messages through platforms such as Tycoon2FA.
Common tactics used to steal login credentials in emails include voicemail alerts, shared documents, communications from human resources, and password reset notifications.
This method of attack has been around for a long time, but since May 2025 it has become increasingly visible and used. Phishing campaigns using this technique are not aimed at specific organizations, they are spread across many sectors.
Researchers have also found campaigns that use this method to trick companies into paying fake invoices.These attacks work differently from regular scams because they exploit complex email routing and unorganized security settings.
Organizations whose Microsoft Exchange logs point directly to Office 365 are protected by built-in security features and are not affected by this attack vector.
Phishing emails sent this way can be more successful because they look like internal messages.Microsoft Threat Intelligence researchers note that successful attacks can lead to compromised data or business emails against an organization or its partners.
These incidents can require extensive cleanup and, in the case of account fraud, can cause financial damage.
While Microsoft recognizes many of these hacking attempts, organizations can reduce their risk by properly setting up security and managing malicious emails to prevent third-party email attachments from reaching employee mailboxes.
Technical isolation of email validation errors
The attacks take advantage of situations where organizations have set up complex email routing scenarios with mail exchange records that do not point directly to Office 365.
If organizations do not have strict security protections in place, threat actors can send fake phishing messages that appear to come from the organization's own domain.
Email headers reveal important information about these fake messages, such as external IP addresses used by attackers to launch phishing attacks.
Depending on how the email system is configured, security checks like SPF will fail weak or hard, DMARC will fail, and DKIM won't be direct, because both sender won't be direct, because both sender won't be direct, because both sender won't be direct, because both sender won't equal the same field.
The X-MS-Exchange-Organization-InternalOrgSender header will be set to True, but the X-MS-Exchange-Organization-MessageDirectionality will be Incoming and the X-MS-Exchange-Organization-ASDirectionalityType will be "1", indicating that the message is from outside the organization.
The combination of a sender indicator of internal organization and the incoming direction indicates that a fake message looks like an internal communication.
The X-MS-Exchange-Organization-AuthAs header will be set to Anonymous, confirming that the message is from an external source.
Setting up domain-based authentication, reporting, and rejection policies and SPF failover policies instead of soft failover, along with properly configuring third-party connectors, will prevent phishing attacks that attempt to compromise corporate sites.
For more instant updates, follow us on Google News, LinkedIn and X. Set CSN as your preferred source on Google.
