Recently, Microsoft sent out a warning about a sharp rise in phishing attacks that take advantage of misrouted email. These ransomware attacks have skyrocketed since May 2025, affecting companies from health care to insurance to the energy industry. As our company Threat Intelligence team, Fluency, recently reported, attackers are taking advantage of complicated routing situations. With these devices, spoof protections are not consistently enforced.
Organizations are experiencing increased exposure because phishing tactics are being fraudulently weaponized. This alert serves to raise awareness of the dangers posed by the Tycoon 2FA Phishing-as-a-Service (PhaaS) kit. Cybercriminals are taking advantage of these techniques to trick enterprises into sending money to bogus invoices or suppliers, all of which can result in staggering losses.
Understanding the Threat Landscape
This is especially true with phishing attacks, which frequently reveal themselves in situations with elaborate and complicated routing setups. Organizations that fail to roll out strong DMARC reject policies and SPF hard fail policies turn themselves into soft targets. Without these commonsense security measures, they are simply leaving the door open for bad actors. These are the kinds of vulnerabilities attackers use. They do this by routing emails through third-party services or non-Exchange on-prem environments before passing them to Microsoft 365.
This complex routing makes it easy for bad actors to effectively spoof domains. Microsoft’s Threat Intelligence team recently described how threat actors are leveraging this vector to disseminate a wide variety of phishing threats. These messages are connected to other phishing-as-a-service infrastructures, like Tycoon 2FA.
Phishing campaigns change quickly and with great frequency. To do so, they often rely on deceptive techniques, such as using clickable links in emails or QR codes in attachments to lure unsuspecting victims to phishing landing pages.
Financial Implications of Phishing Schemes
The monetary burden of these types of phishing attacks can be crippling. Attackers often use the cover of a fake invoice that asks for thousands of dollars to be wired to their accounts. They gain their credibility points by creating fraudulent IRS W-9 forms. These forms, often photocopies, contain the names and social security numbers of everyone associated with the creation of said account. They may even show you a real-looking bank letter. This letter would be on the letterhead of the online banking provider that was used to create the fraudulent account.
The consequences of succumbing to these kinds of scams can be catastrophic for institutions. For businesses, the cost goes beyond financial damages. They take on reputational and operational risks when they scramble to mitigate the damage after the fact.
Best Practices for Mitigating Risks
To protect against these growing threats from phishing attacks, Microsoft recommends that organizations implement these best practices. First and most importantly, they need to ensure that third-party connectors—like spam filtering services or archiving tools—are set up properly. Turning Direct Send off when not needed can assist in blocking spoofed emails that are aiming to land in org domains.
While implementing strict DMARC reject policies and SPF hard fail policies would help significantly in fighting these threats. We urge organizations to check the security state of their email routing configurations frequently and to make sure they’re enforcing all applicable security measures.