嗯,用户让我帮忙总结一下这篇文章的内容,控制在100字以内,而且不需要用“文章内容总结”或者“这篇文章”这样的开头。直接写描述就行。好的,首先我得仔细阅读一下文章内容。 文章主要讲的是网络攻击者利用邮件路由配置错误和伪造保护机制的漏洞,发送看似来自内部的钓鱼邮件。他们使用PhaaS平台,比如Tycoon2FA,来窃取凭证。微软的报告指出,这种情况导致了多种钓鱼攻击,包括涉及人力资源、密码重置等主题的内容。攻击者还利用相同收发地址等手法增加可信度。 另外,文章提到自2025年5月以来,这类攻击有所增加,针对多个行业的组织。微软建议配置严格的DMARC和SPF策略,并正确设置第三方连接器来防止此类攻击。 所以总结起来,我需要涵盖攻击手段、利用的平台、微软的建议以及攻击的影响。控制在100字以内的话,得简洁明了。 可能会这样组织语言:网络攻击者利用邮件路由配置错误和伪造保护机制漏洞,发送看似内部的钓鱼邮件。使用PhaaS平台如Tycoon2FA窃取凭证。微软建议配置严格DMARC/SPF策略和正确连接器以防止此类攻击。 检查一下字数:大约97字左右,符合要求。 </think> 网络攻击者利用邮件路由配置错误和伪造保护机制漏洞,发送看似内部的钓鱼邮件。使用PhaaS平台如Tycoon2FA窃取凭证。微软建议配置严格DMARC/SPF策略和正确连接器以防止此类攻击。 2026-1-7 14:57:52 Author: securityaffairs.com(查看原文) 阅读量:2 收藏
Misconfigured email routing enables internal-spoofed phishing
Attackers exploit misconfigured email routing to spoof internal emails, using PhaaS platforms like Tycoon2FA to steal credentials.
Attackers exploit misconfigured email routing and spoof protections to send phishing emails appearing internal, using PhaaS platforms like Tycoon2FA to steal credentials.
“Phishing actors are exploiting complex routing scenarios and misconfigured spoof protections to effectively spoof organizations’ domains and deliver phishing emails that appear, superficially, to have been sent internally. Threat actors have leveraged this vector to deliver a wide variety of phishing messages related to various phishing-as-a-service (PhaaS) platforms such as Tycoon2FA.” reads the report published by Microsoft. “These include messages with lures themed around voicemails, shared documents, communications from human resources (HR) departments, password resets or expirations, and others, leading to credential phishing.”
Since May 2025, phishing attacks exploiting misconfigured email routing and spoof protections have increased. Microsoft reported opportunistic campaigns targeting multiple industries, sometimes for financial scams. Messages appear internal, boosting success. Office 365 tenants with correct MX records are protected, but others risk credential theft, BEC, or fund loss. Microsoft advises proper spoof protection and connector configuration to block these attacks.
Phishing attacks exploiting misconfigured email routing and spoof protections allow threat actors to send emails appearing from an organization’s own domain. Tenants with complex routing and MX records not pointed to Office 365, or lacking strict DMARC/SPF policies, are vulnerable.
“Setting strict Domain-based Message Authentication, Reporting, and Conformance (DMARC) reject and SPF hard fail (rather than soft fail) policies and properly configuring any third-party connectors will prevent phishing attacks spoofing organizations’ domains.” continues the report.
Attackers often use PhaaS platforms like Tycoon2FA, enabling credential theft, AiTM bypass of MFA, and financial scams. Office 365 tenants with properly configured MX records are protected.
Attackers exploit complex email routing and weak spoofing protections to send phishing emails that look like internal messages. These emails often use common themes such as HR notices, password resets, voicemails, or shared documents. A typical trick is using the same email address in both the “To” and “From” fields to appear legitimate.
Although the emails look internal, email headers show they come from external servers. Signs include SPF or DMARC failures, missing DKIM signatures, and headers indicating anonymous external delivery. In poorly configured environments, these failures may not block delivery, especially when third-party mail connectors are misconfigured.
Many campaigns redirect users through legitimate-looking links, such as Google Maps URLs, to attacker-controlled sites. Victims are shown fake CAPTCHA pages that lead to Tycoon2FA phishing pages designed to steal credentials, sometimes bypassing MFA. Proper DMARC, SPF hard fail, DKIM, and correct connector setup can prevent these attacks.
Microsoft Threat Intelligence has also observed financial scams delivered through spoofed emails that appear to come from inside an organization. These messages are designed to look like ongoing email threads involving senior staff, often impersonating the CEO, the accounting department, or a supplier requesting payment.
In the observed cases, weak email authentication settings allowed the scams to succeed. DMARC was set to “none,” meaning authentication failures were not enforced. As a result, spoofed emails sent from external IP addresses were delivered to inboxes, especially in environments where MX records do not point to Office 365.
The scam emails often use urgency to pressure victims, such as requesting quick payment to secure a discount. They typically use the same email address in both the “To” and “From” fields, with the CEO’s name shown as the display name to appear legitimate.
Attachments commonly include a fake invoice requesting payment to a fraudulent bank account, an IRS W-9 form using stolen personal data, and a fake bank letter to add credibility. Victims who pay may suffer significant and unrecoverable financial losses, as funds are quickly moved by attackers.
Organizations should enforce strict DMARC reject and SPF hard-fail policies and properly configure third-party mail connectors. Microsoft pointed out that tenants with MX records pointing directly to Office 365 are protected.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, phishing)
如有侵权请联系:admin#unsafe.sh