Ethical Hacking News
The use of internal domain phishing has been on the rise since May 2025, with attackers exploiting vulnerabilities in email routing systems to send malicious emails that appear to originate from a company's own domain. This article provides an in-depth look at the emerging threat of internal domain phishing and offers tips on how businesses can protect themselves against this type of attack.
Internal domain phishing occurs when a threat actor exploits a vulnerability in an organization's email routing system to send phishing emails that appear to have originated from the company's own domain. The attack vector is not new, but has surged since May 2025 as part of opportunistic campaigns targeting various organizations across multiple industries. Phishing emails often resemble a conversation between the CEO or accounting department, and contain attachments to lend a false sense of trust. The use of phishing-as-a-service (PhaaS) platforms is a key factor in these attacks, allowing fraudsters to create and manage campaigns easily. Mitigation measures include setting strict DMARC reject and SPF hard fail policies, properly configuring third-party connectors, and turning off Direct Send if necessary.
The world of cybersecurity is constantly evolving, and one emerging threat that businesses must be aware of is internal domain phishing. This type of attack has been gaining traction in recent times, and it's essential to understand what it entails and how to protect against it.
Internal domain phishing occurs when a threat actor exploits a vulnerability in an organization's email routing system to send phishing emails that appear to have originated from the company's own domain. This can be achieved by misconfiguring the mail exchanger record (MX) or spoof protections, creating a security gap that attackers can exploit to send malicious messages.
The attack vector is not new, but Microsoft has recently witnessed a surge in its use since May 2025 as part of opportunistic campaigns targeting various organizations across multiple industries. These campaigns often employ spoofed emails to conduct financial scams against businesses, with the ultimate goal of siphoning credentials and leveraging them for follow-on activities.
The problem manifests primarily in scenarios where a tenant has configured a complex routing scenario and spoof protections are not strictly enforced. An example of this involves pointing the MX record to either an on-premises Exchange environment or a third-party service before reaching Microsoft 365. This creates a security gap that attackers can exploit to send spoofed phishing messages that seem to originate from the tenant's own domain.
Phishing emails propagating financial scams often resemble a conversation between the CEO of the targeted organization, an individual requesting payment for services provided, or the firm's accounting department. They also contain three attached files to lend the scheme a false sense of trust - voicemails, shared documents, and communications from human resources (HR) departments.
The use of phishing-as-a-service (PhaaS) platforms such as Tycoon 2FA has been identified as a key factor in these attacks. PhaaS toolkits are plug-and-play platforms that allow fraudsters to create and manage phishing campaigns easily, making it accessible even for those with limited technical skills. They provide features like customizable phishing templates, infrastructure, and other tools to facilitate credential theft and circumvent multi-factor authentication using adversary-in-the-middle (AiTM) phishing.
Microsoft has blocked more than 13 million malicious emails linked to the Tycoon 2FA PhaaS kit in October 2025 alone. This highlights the severity of the issue and the need for businesses to take proactive measures to protect themselves against internal domain phishing attacks.
To mitigate this threat, organizations are advised to set strict Domain-based Message Authentication, Reporting, and Conformance (DMARC) reject and Sender Policy Framework (SPF) hard fail policies. Properly configuring third-party connectors, such as spam filtering services or archiving tools, is also essential in preventing these types of attacks.
Furthermore, tenants with MX records pointed directly to Office 365 are not vulnerable to the attack vector. Additionally, organizations are recommended to turn off Direct Send if not necessary to reject emails spoofing their domains.
The use of internal domain phishing as a tactic by threat actors highlights the ongoing cat-and-mouse game between security professionals and cybercriminals. As security measures evolve, so too will the tactics employed by attackers. It's essential for businesses to stay vigilant and adapt their defenses accordingly to prevent these types of attacks from compromising their sensitive information.
In conclusion, internal domain phishing is a growing concern that businesses must be aware of. By understanding the threat vector, its implications, and the measures needed to protect against it, organizations can significantly reduce the risk of falling victim to this type of attack.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Looming-Threat-of-Internal-Domain-Phishing-A-Growing-Concern-for-Businesses-ehn.shtml
https://thehackernews.com/2026/01/microsoft-warns-misconfigured-email.html
https://www.microsoft.com/en-us/security/blog/2026/01/06/phishing-actors-exploit-complex-routing-and-misconfigurations-to-spoof-domains/
Published: Wed Jan 7 05:52:32 2026 by llama3.2 3B Q4_K_M
