Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Tycoon 2FA internal-domain phishing campaign abusing email routing

Campaign
First reported
Last updated
Happening score
H score 46
3 unique sources, 3 articles

Summary

Hide ▲

An active Tycoon 2FA phishing campaign is abusing misconfigured email routing and weak domain spoofing protections to make messages look like they came from trusted internal domains and target Microsoft 365 accounts. The activity has surged since May 2025, uses lures such as HR and IT security notices, password updates, and DocuSign-style messages, and can lead to credential theft, data theft, BEC, and financial loss. Microsoft said the risk is highest where mail is routed through on-premises Exchange or third-party services before Microsoft 365 and DMARC, SPF, or connector controls are not strictly enforced.

Related Happenings

CypherLoc phishing-led browser scareware campaign

Campaign
First: 20.05.2026 13:00 Last: 20.05.2026 13:00 Sources 1

About this happening: The **CypherLoc** operation has driven **around 2.8 million attacks** since the start of **2026**, using **phishing emails** to send users to malicious pages that lock browsers an...

Open Happening

Storm-2949 Microsoft 365 and Azure data-theft campaign

Campaign
First: 19.05.2026 22:35 Last: 19.05.2026 22:35 Sources 1

About this happening: The **Storm-2949** campaign is targeting **Microsoft 365 and Azure production environments** to steal sensitive data, increasing the risk of privileged-account takeover and cloud...

Open Happening

Microsoft civil action against Fox Tempest infrastructure takedown

Regulatory/Legal Action
First: 19.05.2026 18:00 Last: 19.05.2026 18:00 Sources 1

About this happening: Microsoft filed a **civil action** against **Fox Tempest** in the **US District Court for the Southern District of New York**, securing a **court order** that enabled a broad disr...

Open Happening

Tycoon2FA device-code phishing campaign targeting Microsoft 365

Campaign
First: 17.05.2026 17:43 Last: 17.05.2026 17:43 Sources 1

About this happening: The **Tycoon2FA** phishing operation added **device-code phishing** to hijack **Microsoft 365** accounts, expanding its ability to steal access tokens and reach email, calendar, a...

Open Happening

Microsoft Exchange Server spoofing/XSS flaw under active exploitation (CVE-2026-42897)

Vulnerability
First: 15.05.2026 09:19 Last: 15.05.2026 09:19 Sources 1

About this happening: **CVE-2026-42897** is an **actively exploited** **spoofing/XSS** flaw in **on-premises Microsoft Exchange Server** that can let attackers trigger **arbitrary JavaScript** in a bro...

Open Happening

Timeline

  1. 07.01.2026 11:42 4 articles · 4mo ago

    Microsoft warns on internal-domain phishing via misconfigured email routing

    Initial Disclosure

    Microsoft warns that misconfigured email routing and weak spoof protections are being abused to impersonate organizations' internal domains and deliver phishing messages tied to Tycoon 2FA, with lures themed around voicemails, shared documents, HR notices, password resets or expirations, bogus invoices, and DocuSign impersonation. The activity has surged since May 2025 across multiple industries and verticals, and Microsoft said it blocked more than 13 million malicious emails linked to the kit in October 2025. The phishing campaigns can lead to credential theft, data theft, business email compromise, and financial losses, especially where MX records route through on-premises Exchange or a third-party service before Microsoft 365 and DMARC, SPF, or connector controls are not strictly enforced.

    Show sources
    Open in new tab