Threat Actors Exploit Misconfigurations To Spoof Internal Emails
KnowBe4, Thursday, January 15th, 2026
Attackers are increasingly abusing network misconfigurations to send spoofed phishing emails, according to researchers at Microsoft. This technique isn't new, but Microsoft has observed a surge in these attacks since May 2025.
'Phishing actors are exploiting complex routing scenarios and misconfigured spoof protections to effectively spoof organizations' domains and deliver phishing emails that appear, superficially, to have been sent internally,' the researchers write.
'Threat actors have leveraged this vector to deliver a wide variety of phishing messages related to various phishing-as-a-service (PhaaS) platforms such as Tycoon2FA. These include messages with lures themed around voicemails, shared documents, communications from human resources (HR) departments, password resets or expirations, and others, leading to credential phishing.'