This threat involves phishing attacks that exploit misconfigurations in email routing and spoof protection mechanisms within organizations using Microsoft 365 and hybrid email environments. Specifically, when an organization's MX records point to an on-premises Exchange server or a third-party email service before routing to Microsoft 365, and spoof protections such as DMARC and SPF are not strictly enforced, attackers can send spoofed emails that appear to originate from internal domains. This internal domain spoofing increases the likelihood that recipients will trust and engage with the phishing emails. The campaigns have surged since May 2025 and often utilize phishing-as-a-service (PhaaS) platforms like Tycoon 2FA, which provide ready-made phishing infrastructure and templates, including advanced features to bypass multi-factor authentication via adversary-in-the-middle (AiTM) techniques. The phishing lures mimic legitimate internal communications such as HR notifications, password resets, voicemail alerts, and shared documents, as well as financial scams involving fake invoices, IRS W-9 forms, and fraudulent bank letters to trick employees into wiring funds to attacker-controlled accounts. The attackers exploit the appearance of internal emails by using the same email address in both 'To' and 'From' fields, increasing the deception. Microsoft has blocked millions of such emails but warns that organizations with complex mail routing and insufficiently strict DMARC/SPF policies remain vulnerable. Mitigation involves enforcing strict DMARC reject policies, SPF hard fail, correctly configuring third-party connectors (spam filters, archiving), and disabling Direct Send if not required. Organizations with MX records pointed directly to Office 365 are not susceptible to this attack vector. The threat enables credential theft, business email compromise, and financial fraud, posing significant operational and financial risks.

For European organizations, this threat can lead to substantial risks including credential compromise, unauthorized access to sensitive systems, business email compromise (BEC), and financial fraud. The ability of attackers to spoof internal domain emails increases the likelihood of successful phishing, potentially bypassing user suspicion and some security controls. This can result in data breaches, intellectual property theft, disruption of business operations, and significant financial losses due to fraudulent wire transfers or invoice payments. Organizations in sectors with high-value transactions or sensitive data, such as finance, healthcare, legal, and government, are particularly at risk. The use of phishing-as-a-service kits lowers the technical barrier for attackers, increasing the volume and diversity of attacks. Given the widespread adoption of Microsoft 365 and hybrid email environments in Europe, especially among large enterprises and public sector entities, the threat could affect a broad range of organizations. Additionally, the financial scams leveraging fake invoices and official-looking documents can cause reputational damage and regulatory scrutiny under GDPR if personal data is compromised. The medium severity rating reflects the significant potential impact combined with the requirement for specific misconfigurations to be present.

European organizations should implement the following specific measures to mitigate this threat: 1) Enforce strict DMARC policies with a reject action to prevent spoofed emails from being accepted; 2) Configure SPF records with hard fail to ensure only authorized mail servers can send emails on behalf of the domain; 3) Review and properly configure all third-party connectors, including spam filtering and archiving services, to ensure they do not inadvertently allow spoofed emails; 4) Disable Direct Send functionality unless absolutely necessary, as it can be abused to send spoofed emails; 5) Regularly audit MX records to avoid complex routing scenarios that introduce security gaps, preferring direct MX records to Microsoft 365 where possible; 6) Implement advanced email security solutions that provide anti-phishing and AiTM detection capabilities; 7) Conduct targeted user awareness training focusing on recognizing internal domain phishing and financial fraud scams; 8) Monitor email logs and alerts for unusual internal email patterns, such as identical 'To' and 'From' addresses; 9) Employ multi-factor authentication with phishing-resistant methods (e.g., hardware tokens) to reduce the impact of credential theft; 10) Establish incident response plans specifically addressing business email compromise and phishing attacks. These measures go beyond generic advice by focusing on the specific misconfiguration and attack vector described.