Phishing actors exploiting complex routing scenarios and misconfigured spoof protections

Jan. 7, 2026, 11:42 a.m.

Description

Threat actors are leveraging complex routing scenarios and misconfigured spoof protections to send phishing emails that appear to be internal communications. These attacks, which have increased since May 2025, use various lures like voicemails, shared documents, and password resets to conduct credential phishing and financial scams. The campaigns, often using PhaaS platforms like Tycoon2FA, are opportunistic and target multiple industries. While Microsoft detects most attempts, organizations can further mitigate risks by properly configuring spoof protections and third-party connectors. The attacks do not affect customers whose Microsoft Exchange MX records point to Office 365, as they are protected by built-in spoofing detections.

External References

https://otx.alienvault.com/pulse/695e44c8ede0dcfd2022e96f
https://www.microsoft.com/en-us/security/blog/2026/01/06/phishing-actors-exploit-complex-routing-and-misconfigurations-to-spoof-domains/
Tags
phishing
credential theft
spoofing
financial scams
dkim
tycoon2fa
email
2026-01-07
dmarc
spf

Date

  • Created: Jan. 7, 2026, 11:34 a.m.
  • Published: Jan. 7, 2026, 11:34 a.m.
  • Modified: Jan. 7, 2026, 11:42 a.m.

Indicators

  • 163.5.221.110
  • 51.89.59.188
  • 51.195.94.194
  • 162.19.196.13
Download all indicators here!

Attack Patterns

  • Tycoon2FA

Additional Informations

  • 2fa.valoufroo.in.net
  • goorooyi.yoshemo.in.net
  • online.amphen0l-fci.com
  • integralsm.cl
  • absoluteprintgroup.com
  • scanuae.com