Find notable cyber news and cases, enriched with sources, timelines, and signals.

Tycoon 2FA internal-domain phishing campaign abusing email routing

Campaign
First reported
Last updated
Happening score
H score 39
3 unique sources, 3 articles

Summary

Hide ▲

An active Tycoon 2FA phishing campaign is abusing misconfigured email routing and weak domain spoofing protections to make messages look like they came from trusted internal domains and target Microsoft 365 accounts. The activity has surged since May 2025, uses lures such as HR and IT security notices, password updates, and DocuSign-style messages, and can lead to credential theft, data theft, BEC, and financial loss. Microsoft said the risk is highest where mail is routed through on-premises Exchange or third-party services before Microsoft 365 and DMARC, SPF, or connector controls are not strictly enforced.

Related Happenings

O-UNC-066 / Pink Microsoft Entra passkey vishing campaign

Campaign
H score37 First: 08.07.2026 19:47 Last: 08.07.2026 19:47 Sources 1

About this happening: The **O-UNC-066 / Pink** operation is using **voice-based phishing** to push **Microsoft 365** users into enrolling attacker-controlled **Entra passkeys**, creating a direct path...

Non-email threat-detection confidence gap across collaboration channels

Trend
H score25 First: 19.06.2026 12:00 Last: 19.06.2026 12:00 Sources 1

About this happening: A survey found a broad **non-email threat-detection gap** across **Slack**, **Microsoft Teams**, and social channels, increasing exposure as attackers move beyond **email**. At **...

OpenClaw phishing simulations expose AI agent identity-verification failures

Technical Analysis
H score23 First: 10.06.2026 00:20 Last: 10.06.2026 00:20 Sources 1

About this happening: Researchers found that **OpenClaw** email agents could be manipulated by **phishing simulations**, exposing gaps in **sender verification** and risky handling of sensitive data. I...

Senior executive at major global stock exchange hit by data theft breach

Incident
H score7 First: 03.06.2026 15:46 Last: 03.06.2026 15:46 Sources 1

About this happening: A senior executive at a major global stock exchange suffered an **email account compromise** that enabled **months of unauthorized mailbox access** and data theft. The intrusion b...

Microsoft Exchange Online mail flow disruption

Service Disruption
H score25 First: 02.06.2026 20:02 Last: 02.06.2026 20:02 Sources 1

About this happening: Microsoft is addressing a **widespread Exchange Online service disruption** that is delaying and failing email delivery for customers across **North America** and **Germany**. The...

Timeline

  1. 07.01.2026 11:42 4 articles · 6mo ago

    Microsoft warns on internal-domain phishing via misconfigured email routing

    Initial Disclosure

    Microsoft warns that misconfigured email routing and weak spoof protections are being abused to impersonate organizations' internal domains and deliver phishing messages tied to Tycoon 2FA, with lures themed around voicemails, shared documents, HR notices, password resets or expirations, bogus invoices, and DocuSign impersonation. The activity has surged since May 2025 across multiple industries and verticals, and Microsoft said it blocked more than 13 million malicious emails linked to the kit in October 2025. The phishing campaigns can lead to credential theft, data theft, business email compromise, and financial losses, especially where MX records route through on-premises Exchange or a third-party service before Microsoft 365 and DMARC, SPF, or connector controls are not strictly enforced.

    Show sources