Tycoon 2FA internal-domain phishing campaign abusing email routing
Campaign
Summary
Hide ▲
Show ▼
An active Tycoon 2FA phishing campaign is abusing misconfigured email routing and weak domain spoofing protections to make messages look like they came from trusted internal domains and target Microsoft 365 accounts. The activity has surged since May 2025, uses lures such as HR and IT security notices, password updates, and DocuSign-style messages, and can lead to credential theft, data theft, BEC, and financial loss. Microsoft said the risk is highest where mail is routed through on-premises Exchange or third-party services before Microsoft 365 and DMARC, SPF, or connector controls are not strictly enforced.
Related Happenings
O-UNC-066 / Pink Microsoft Entra passkey vishing campaign
Campaign
H score37
First: 08.07.2026 19:47
Last: 08.07.2026 19:47
Sources 1
About this happening:
The **O-UNC-066 / Pink** operation is using **voice-based phishing** to push **Microsoft 365** users into enrolling attacker-controlled **Entra passkeys**, creating a direct path...
O-UNC-066 / Pink Microsoft Entra passkey vishing campaign
CampaignAbout this happening: The **O-UNC-066 / Pink** operation is using **voice-based phishing** to push **Microsoft 365** users into enrolling attacker-controlled **Entra passkeys**, creating a direct path...
Non-email threat-detection confidence gap across collaboration channels
Trend
H score25
First: 19.06.2026 12:00
Last: 19.06.2026 12:00
Sources 1
About this happening:
A survey found a broad **non-email threat-detection gap** across **Slack**, **Microsoft Teams**, and social channels, increasing exposure as attackers move beyond **email**. At **...
Non-email threat-detection confidence gap across collaboration channels
TrendAbout this happening: A survey found a broad **non-email threat-detection gap** across **Slack**, **Microsoft Teams**, and social channels, increasing exposure as attackers move beyond **email**. At **...
OpenClaw phishing simulations expose AI agent identity-verification failures
Technical Analysis
H score23
First: 10.06.2026 00:20
Last: 10.06.2026 00:20
Sources 1
About this happening:
Researchers found that **OpenClaw** email agents could be manipulated by **phishing simulations**, exposing gaps in **sender verification** and risky handling of sensitive data. I...
OpenClaw phishing simulations expose AI agent identity-verification failures
Technical AnalysisAbout this happening: Researchers found that **OpenClaw** email agents could be manipulated by **phishing simulations**, exposing gaps in **sender verification** and risky handling of sensitive data. I...
Senior executive at major global stock exchange hit by data theft breach
Incident
H score7
First: 03.06.2026 15:46
Last: 03.06.2026 15:46
Sources 1
About this happening:
A senior executive at a major global stock exchange suffered an **email account compromise** that enabled **months of unauthorized mailbox access** and data theft. The intrusion b...
Senior executive at major global stock exchange hit by data theft breach
IncidentAbout this happening: A senior executive at a major global stock exchange suffered an **email account compromise** that enabled **months of unauthorized mailbox access** and data theft. The intrusion b...
Microsoft Exchange Online mail flow disruption
Service Disruption
H score25
First: 02.06.2026 20:02
Last: 02.06.2026 20:02
Sources 1
About this happening:
Microsoft is addressing a **widespread Exchange Online service disruption** that is delaying and failing email delivery for customers across **North America** and **Germany**. The...
Microsoft Exchange Online mail flow disruption
Service DisruptionAbout this happening: Microsoft is addressing a **widespread Exchange Online service disruption** that is delaying and failing email delivery for customers across **North America** and **Germany**. The...
Timeline
-
07.01.2026 11:42 4 articles · 6mo ago
Microsoft warns on internal-domain phishing via misconfigured email routing
Initial DisclosureMicrosoft warns that misconfigured email routing and weak spoof protections are being abused to impersonate organizations' internal domains and deliver phishing messages tied to Tycoon 2FA, with lures themed around voicemails, shared documents, HR notices, password resets or expirations, bogus invoices, and DocuSign impersonation. The activity has surged since May 2025 across multiple industries and verticals, and Microsoft said it blocked more than 13 million malicious emails linked to the kit in October 2025. The phishing campaigns can lead to credential theft, data theft, business email compromise, and financial losses, especially where MX records route through on-premises Exchange or a third-party service before Microsoft 365 and DMARC, SPF, or connector controls are not strictly enforced.
Show sources
- Microsoft Warns Misconfigured Email Routing Can Enable Internal Domain Phishing — thehackernews.com — 07.01.2026 11:42
- Microsoft Warns Misconfigured Email Routing Can Enable Internal Domain Phishing — thehackernews.com — 07.01.2026 11:42
- Phishing Attacks Exploit Misconfigured Email Routing Settings to Target Microsoft 365 Users — www.infosecurity-magazine.com — 08.01.2026 16:01
- Tycoon 2FA and the Collapse of Legacy MFA — www.bleepingcomputer.com — 18.11.2025 17:01