When employees receive an email that appears to come from their own company's domain—complete with legitimate-looking sender addresses and internal formatting—the natural assumption is that the message is trustworthy. This fundamental trust in domain-based authentication is precisely what threat actors are now exploiting through sophisticated routing manipulations that Microsoft has observed affecting organizations across multiple industries since May 2025. (Source: Microsoft)
Key Insight: This fundamental trust in domain-based authentication is precisely what threat actors are now exploiting through sophisticated routing manipulations that Microsoft has observed affecting organizations across multiple industries since May 2025.
The attack leverages a critical gap in how email authentication works when organizations use complex mail routing configurations. In typical scenarios, employees might see messages appearing to originate from their CEO, HR department, or IT support—all using legitimate internal email addresses in both the "From" and "To" fields. These aren't simple display name tricks; the technical headers show the messages as having originated from within the organization's own domain, making them nearly indistinguishable from genuine internal communications.
What makes this exploitation particularly insidious is its abuse of legitimate business infrastructure rather than traditional hacking methods. Organizations that route their email through third-party services before it reaches Office 365, or those maintaining on-premises Exchange servers with specific configurations, inadvertently create conditions where external actors can send messages that bypass SPF, DKIM, and DMARC protections—the three pillars of modern email authentication.
The business implications extend far beyond individual phishing attempts. When domain authentication fails at this fundamental level, it erodes the entire trust model that modern business communications depend upon. Microsoft observed over 13 million malicious emails linked to the Tycoon2FA phishing platform alone in October 2025, many exploiting this exact vector. These campaigns don't just target credentials; they're conducting sophisticated financial fraud operations, with actors crafting elaborate fake invoice schemes that appear to come from company executives.
The technical mechanism involves threat actors initiating connections from external IP addresses—Microsoft has documented addresses like 51.89.59.188 and 162.19.129.232—but the resulting messages carry authentication headers that mark them as internal communications. The X-MS-Exchange-Organization-InternalOrgSender header shows as "True" while simultaneously showing incoming directionality, a combination that should be impossible under normal circumstances but occurs when routing configurations create authentication blind spots.
Financial services, healthcare, and manufacturing sectors have all reported incidents where employees nearly authorized fraudulent payments or disclosed sensitive credentials because the messages appeared to originate from trusted internal sources. In one documented case, threat actors impersonated a CEO requesting urgent payment of invoices, complete with fake W-9 forms containing stolen social security numbers and fraudulent bank routing information to online banking platforms.
The erosion of email trust has cascading effects on business operations. Security teams must now question every internal communication channel, employees become hesitant to respond quickly to legitimate requests, and organizations face the prospect of implementing additional verification layers that slow down business processes. This represents a fundamental shift from trusting domain-based authentication to requiring out-of-band verification for sensitive communications—a regression in email security that impacts productivity across entire organizations.
The Attack Mechanics: Routing Manipulation and Domain Spoofing Techniques
The technical foundation of these spoofing attacks rests on a critical misalignment between email authentication protocols and complex mail routing architectures. When organizations implement third-party email security gateways or maintain hybrid Exchange deployments, they create multiple mail exchange (MX) record configurations that introduce authentication gaps.
At the protocol level, attackers exploit the fundamental trust relationship in Simple Mail Transfer Protocol (SMTP) communications. SMTP servers accept messages based on routing rules rather than cryptographic verification, allowing threat actors to inject messages that appear to originate from internal domains. The attack succeeds when authentication checks occur at different points in the mail flow chain than where routing decisions are made.
Key Insight: At the protocol level, attackers exploit the fundamental trust relationship in Simple Mail Transfer Protocol (SMTP) communications.
The routing manipulation begins with attackers identifying organizations whose MX records point to intermediate services rather than directly to Office 365. These configurations typically involve spam filtering services, security solutions, or archiving systems that process mail before it reaches the final destination. Microsoft's analysis reveals that messages initiated from external IP addresses like 51.89.59[.]188 and 162.19.129[.]232 successfully traverse these intermediate hops while maintaining the appearance of internal origin.
Three specific conditions enable successful domain spoofing through this vector. First, the target organization must have configured their MX records to route through non-Office 365 endpoints. Second, the organization's DMARC policy must be set to permissive modes (none or quarantine) rather than reject. Third, any third-party connectors in the mail flow path must lack proper authentication enforcement configurations.
The authentication bypass occurs because intermediate routing services often strip or modify email headers during processing. When messages arrive at the final destination, critical authentication markers become ambiguous. The X-MS-Exchange-Organization-InternalOrgSender header gets set to True based on domain matching, while X-MS-Exchange-Organization-MessageDirectionality correctly identifies the message as incoming. This header combination creates a logical contradiction that bypasses standard spoof detection mechanisms.
SPF soft fail configurations compound the vulnerability. Organizations implementing ~all instead of -all in their SPF records allow messages to proceed even when sender verification fails. The authentication results header spf=softfail (sender IP is 162.19.129[.]232) smtp.mailfrom=contoso.com demonstrates how messages continue delivery despite authentication failures.
The persistence of these vulnerabilities stems from operational complexity. Organizations maintain intricate mail routing for legitimate business reasons—compliance requirements, legacy system integration, or specialized security scanning. Each additional hop in the mail flow introduces potential authentication gaps. The compauth failure reasons observed in attacks (reason=905 for complex routing, reason=451 for spam folder delivery) indicate that Exchange Online recognizes the authentication issues but cannot enforce strict blocking without disrupting legitimate mail flow.
DKIM absence further enables these attacks. Without cryptographic message signing, receiving servers cannot verify message integrity or true origin. The consistent pattern of dkim=none (message not signed) in attack messages highlights how organizations' failure to implement DKIM creates an exploitable authentication void that threat actors leverage to bypass domain-based trust mechanisms.
Email Spoofing Attack Chain
Detection Signals: What Your Email and Network Logs Should Reveal
Security teams hunting for these spoofing attacks need to focus on specific authentication misalignments that appear in email headers when messages traverse complex routing paths. The most critical indicator emerges when examining the relationship between X-MS-Exchange-Organization-InternalOrgSender set to "True" while X-MS-Exchange-Organization-MessageDirectionality shows "Incoming" - this combination definitively signals an external message masquerading as internal communication.
Authentication header analysis reveals distinct patterns when spoofing occurs through routing exploitation. Messages will display compauth=fail reason=000 indicating explicit DMARC failure, alongside spf=fail with external sender IPs like those observed from ranges 51.89.59.0/24 and 162.19.129.0/24. The presence of dkim=none combined with dmarc=fail action=quarantine creates a signature that security teams can query across their email security platforms.
Network flow data exposes reconnaissance patterns that precede active spoofing campaigns. Threat actors probe mail servers through specific SMTP command sequences - initial EHLO commands from unusual geographic regions, followed by RCPT TO commands testing valid internal addresses. These probes generate distinctive patterns in SMTP logs: connection attempts lasting under 3 seconds, incomplete SMTP handshakes, and AUTH attempts using null credentials from IP addresses lacking reverse DNS entries.
DNS query analysis provides early warning signals before spoofing attempts materialize. Attackers query MX records, SPF records, and DMARC policies in rapid succession from the same resolver, creating temporal clustering patterns. Security teams should monitor for DNS queries to their domain's authentication records originating from non-corporate IP ranges, particularly when followed within 24-48 hours by SMTP connections from those same netblocks.
The X-MS-Exchange-Organization-ASDirectionalityType header value of "1" combined with X-MS-Exchange-Organization-AuthAs set to "Anonymous" provides definitive proof of external origin despite internal appearance. These headers persist even when messages bypass initial spam filters due to compauth=none reason=905 or reason=451, indicating complex routing scenarios where enforcement fails.
SMTP connection logs reveal exploitation attempts through specific patterns: connections initiating from IP addresses in AS208091, AS16276, or AS12876 (common VPS providers), using MAIL FROM addresses matching recipient domains, and generating SPF temperror or permerror results rather than standard fail responses. These connections often show TLS cipher suites inconsistent with legitimate mail servers - particularly the use of deprecated protocols like TLS 1.0 or weak ciphers.
Prioritization during triage requires distinguishing active exploitation from reconnaissance. Active exploitation manifests as messages with nested redirect URLs pointing to domains registered within 30 days, authentication headers showing all three protection mechanisms (SPF/DKIM/DMARC) failing simultaneously, and recipient addresses appearing in both To and From fields. Reconnaissance appears as repeated MX record queries without subsequent SMTP connections, port 25 scanning from residential IP ranges, and VRFY or EXPN command attempts against mail servers.
Real-time detection requires correlating these signals: when DNS queries for authentication records coincide with SMTP connections showing authentication failures and internal sender spoofing within a 4-hour window, immediate incident response activation is warranted.
Immediate and Short-Term Defenses: Prioritized Actions for Your Environment
Organizations facing active spoofing campaigns through routing exploitation need immediate defensive measures that directly address the authentication gaps these attacks exploit. The following actions, prioritized by implementation urgency, provide specific countermeasures against the routing manipulation techniques currently targeting enterprises.
Immediate Actions (Deploy Within 72 Hours)
The first critical step involves auditing existing email authentication policies for permissive configurations that enable spoofing. Organizations should immediately verify their DMARC policies are set to p=reject rather than p=none or p=quarantine. This single configuration change blocks delivery of messages that fail DMARC authentication, preventing spoofed emails from reaching inboxes even when routing complexities exist.
Security teams must configure mail flow rules that specifically flag authentication misalignments. Create transport rules in Exchange Online that quarantine messages where the Authentication-Results header contains compauth=fail reason=000 combined with dmarc=fail. These rules act as a secondary defense layer when third-party connectors bypass native protections.
For organizations using third-party email gateways, implement Enhanced Filtering for Connectors immediately. This configuration preserves original sender IP information through complex routing paths, enabling accurate SPF validation. The setting requires adding the third-party service IP ranges to the Enhanced Filtering configuration: Set-InboundConnector -Name "ThirdPartyConnector" -EFSkipIPs 192.168.1.0/24.
Short-Term Implementations (Complete Within 4 Weeks)
Deploy Brand Indicators for Message Identification (BIMI) to provide visual verification of legitimate internal communications. BIMI displays organization logos next to authenticated messages, making spoofed emails immediately distinguishable. Implementation requires publishing a BIMI record with a verified logo: default._bimi.contoso.com IN TXT "v=BIMI1; l=https://contoso.com/logo.svg; a=https://contoso.com/cert.pem".
Establish monitoring for DNS record modifications and BGP route announcements that could indicate infrastructure compromise attempts. Configure alerts for any changes to SPF, DKIM, or DMARC records, as attackers may attempt to weaken authentication policies before launching campaigns. Tools like DNSControl or Route Views can automate this monitoring.
Implement email routing segmentation to prevent relay abuse through Direct Send exploitation. Create separate mail flow connectors for different message types:
- Internal-only connector restricted to RFC1918 IP ranges for device notifications
- Partner connector with IP restrictions and certificate-based authentication
- Cloud service connector with mandatory TLS and authentication requirements
Configure Authenticated Received Chain (ARC) signing for legitimate forwarding scenarios. ARC preserves authentication results across multiple hops, preventing false positives when messages traverse approved third-party services. Enable ARC through: Set-ArcConfig -Identity default -ArcTrustedSealers "gateway.provider.com".
Deploy custom mail flow rules that enforce stricter validation for high-value targets. Create rules that require additional authentication for messages appearing to originate from executive accounts but containing external IP addresses in headers. These rules should trigger manual review rather than automatic delivery.
These targeted defenses specifically counter the routing manipulation techniques observed in current campaigns, providing layered protection while organizations work toward longer-term architectural improvements.
Long-Term Resilience: Addressing the Root Cause of Routing Vulnerabilities
Addressing the fundamental infrastructure vulnerabilities that enable routing-based spoofing requires organizations to confront decades of accumulated technical debt in their network and DNS architectures. These systemic weaknesses persist not because solutions don't exist, but because implementing them demands significant capital investment, operational disruption, and coordination across multiple teams and external partners.
The economics of infrastructure hardening create a challenging paradox for security leaders. Border Gateway Protocol (BGP) security implementations through Resource Public Key Infrastructure (RPKI) deployment can prevent route hijacking that enables spoofing, yet fewer than 40% of global autonomous systems have deployed RPKI validation according to recent NIST measurements. The implementation requires router upgrades, staff training, and coordination with upstream providers who may resist changes that add latency or complexity to their operations.
Organizations pursuing RPKI deployment face a multi-quarter project spanning network operations, security, and vendor management teams. The technical implementation involves establishing Route Origin Authorizations (ROAs) for all advertised prefixes, configuring routers to perform origin validation, and implementing policies for invalid route handling. Each step requires careful testing to avoid accidentally blackholing legitimate traffic—a risk that makes network teams hesitant to proceed without extensive change windows and rollback procedures.
DNS infrastructure hardening presents similar challenges with DNSSEC deployment remaining below 25% adoption despite being available for over a decade. The signing process introduces key management overhead, increases query response sizes that can trigger fragmentation issues, and requires all resolvers in the chain to validate signatures. Organizations must maintain signing keys, implement automated key rollovers, and monitor for validation failures that could render domains unreachable.
The business case for these foundational controls requires security leaders to quantify prevented losses rather than immediate returns. A comprehensive RPKI and DNSSEC deployment typically costs between $250,000 and $500,000 for mid-sized enterprises, including hardware upgrades, consulting services, and operational changes. This investment prevents attacks that might never occur, making budget approval challenging when competing against initiatives with measurable productivity gains.
Email infrastructure modernization extends beyond authentication protocols to address architectural decisions made when email was considered a convenience rather than critical infrastructure. Legacy SMTP relays, often installed for application notifications or partner communications, create authentication bypasses that attackers exploit. Identifying and decommissioning these systems requires application inventory projects, vendor negotiations, and potentially breaking workflows that have operated unchanged for years.
The organizational dynamics around infrastructure hardening reveal why reactive patching often wins over preventive architecture changes. Network teams own BGP configurations but lack security mandates. DNS teams report to different management chains than email administrators. Security teams identify risks but lack authority over infrastructure budgets. This fragmentation means comprehensive hardening requires executive sponsorship to align competing priorities and overcome departmental resistance.
Technical teams should sequence these initiatives based on attack surface reduction potential: first eliminating unnecessary SMTP relays and enforcing strict ingress filtering, then implementing DNSSEC for critical domains, and finally pursuing RPKI deployment as network refresh cycles permit. This phased approach allows organizations to demonstrate incremental security improvements while building operational expertise for more complex implementations.
Threat Actor Profile and Campaign Context
The campaign landscape surrounding these routing-based spoofing attacks reveals a diverse ecosystem of threat actors operating with varying levels of sophistication and objectives. Storm-1747, the primary threat group tracked by Microsoft in connection with these attacks, demonstrates operational characteristics typical of financially motivated cybercriminal organizations rather than nation-state actors. Their infrastructure choices and targeting patterns suggest a focus on maximizing return on investment through volume-based credential harvesting operations.
The geographic distribution of victims spans North America, Western Europe, and Southeast Asia, with particular concentration in organizations maintaining legacy email infrastructure or hybrid cloud deployments. Financial services, healthcare providers, and manufacturing sectors experience disproportionate targeting—industries where email-based business processes remain critical and where complex IT environments create authentication gaps.
Campaign analysis reveals distinct operational phases aligned with business cycles. Attack volumes spike during quarterly financial reporting periods and major holiday seasons, suggesting actors time their campaigns to exploit periods when security teams face resource constraints or when employees process higher volumes of seemingly legitimate internal communications.
The Tycoon2FA phishing-as-a-service platform emerges as the dominant technical enabler across observed campaigns. This commoditization of attack infrastructure allows even moderately skilled actors to execute sophisticated spoofing attacks without developing custom tools. The platform's adversary-in-the-middle capabilities specifically target organizations relying on traditional MFA implementations, demonstrating how criminal innovation adapts to defensive improvements.
Attribution confidence remains moderate due to infrastructure overlap between multiple criminal groups. The actors demonstrate operational security awareness through their use of bulletproof hosting providers and frequent rotation of command infrastructure. IP addresses associated with campaigns originate from providers known for minimal law enforcement cooperation, including services in Eastern European jurisdictions.
Financial fraud campaigns observed alongside credential phishing operations suggest either collaboration between specialized groups or expansion of traditional phishing operators into business email compromise schemes. The fake invoice campaigns targeting accounting departments demonstrate specific knowledge of corporate payment processes, potentially indicating insider knowledge or extensive reconnaissance capabilities.
The technical sophistication required varies significantly across observed campaigns. While exploiting routing misconfigurations requires understanding of email authentication protocols, the actual execution leverages widely available tools and services. This accessibility explains the rapid adoption observed since May 2025, with incident volumes increasing month-over-month as knowledge spreads through criminal forums.
Organizations matching specific risk profiles face elevated targeting probability. Companies undergoing mergers or acquisitions, those with publicly disclosed email migration projects, and entities maintaining relationships with multiple managed service providers appear in victim lists with higher frequency. This targeting intelligence suggests actors conduct preliminary reconnaissance to identify organizations with complex email routing scenarios.
The evolution from opportunistic credential harvesting to targeted financial fraud indicates maturation of actor capabilities and objectives. Early campaigns focused on volume-based credential collection for resale on criminal markets. Recent operations demonstrate patience and planning consistent with targeted attacks against specific organizations, suggesting either skill progression or entry of more sophisticated actors into this attack vector.
