Microsoft backs DMARC as protection against Tycoon 2FA phishing surge

TL;DR:

Bad actors are exploiting misconfigured email servers to send highly convincing phishing emails that appear to come from inside organizations. These attacks use sophisticated kits like Tycoon 2FA to bypass weak SPF, DKIM, and DMARC implementations, particularly targeting Office 365 customers with complex routing setups. Microsoft warns that customers with non-standard routing, especially those not pointing MX records directly to Microsoft, are at the highest risk. Red Sift OnDMARC provides the comprehensive email authentication and monitoring needed to close these gaps, ensuring your organization reaches DMARC reject policy and preventing attackers from spoofing your domains to target employees, customers, and suppliers.

Microsoft has warned about a surge in sophisticated phishing campaigns exploiting weak email authentication configurations. Attackers are taking advantage of misconfigured servers to send emails that appear to come from inside the target organization, bypassing standard security checks and tricking employees into revealing credentials.

The attacks aren't new, but they've grown significantly more prevalent in the second half of 2025. According to Microsoft, criminals are abusing how some organizations route email and how they implement authentication protocols. When email passes through third-party services or on-premises servers, SPF, DKIM, and DMARC checks are sometimes weak or not strictly enforced.

Attackers exploit these gaps by sending emails from outside the company but using the company's own domain as the sender address. Because the system doesn't fully reject failed checks, the email gets accepted and marked as internal. The resulting message looks legitimate and makes employees far more likely to trust it and hand over credentials.

Microsoft highlights that Office 365 customers with non-standard and complex routing configurations face the highest risk. Organizations not pointing their MX records directly to Microsoft are urged to review and address their email authentication setup immediately.

The problem centres on authentication protocols that verify email senders. SPF checks which servers can send email for a domain, DKIM adds a digital signature to messages, and DMARC tells receiving servers what to do when checks fail.

These protocols work well when email flows directly between providers. But in complex setups involving third-party filtering services, on-premises infrastructure, or unusual routing, authentication can break down. Emails might pass some checks but fail others, and if policies aren't set to reject, messages slip through.

Attackers have learned to identify organizations with weak configurations. They craft phishing campaigns using known toolkits like Tycoon 2FA, creating convincing lures themed around voicemails, shared documents, HR communications, or password resets. The emails look identical to legitimate internal messages, complete with familiar sender addresses and display names.

This isn't targeted spear phishing. It's broad, opportunistic attacks aimed at harvesting as many credentials as possible. In some cases, stolen passwords enable secondary Business Email Compromise attacks, where criminals use legitimate accounts to request wire transfers or sensitive data.

Your domain is a trust signal. When employees receive an email from a colleague, they expect it to be genuine. When customers receive an email from your company, they trust it represents your organization.

Attackers understand this psychology. By spoofing your domain and making emails appear internal, they exploit the trust your brand has built with employees and external partners. The attacks succeed because authentication failures aren't consistently blocked.

Organizations with complex routing often implement authentication as a secondary layer rather than a fundamental security control. Email might be scanned for malware, filtered for spam, but if authentication checks fail without triggering rejection, the door remains open for spoofing.

Red Sift OnDMARC addresses this by providing complete visibility into your email authentication posture. The platform monitors all email sources claiming to send on your behalf, identifies misconfigurations in real time, and guides you through implementing the correct policies across your entire email infrastructure.

Getting to DMARC reject policy is the single most effective way to prevent domain spoofing. A reject policy tells receiving servers to completely block emails that fail authentication checks. No grey area, no maybe, no slipping through.

But reaching reject safely requires visibility and testing. You need to know every legitimate source sending email for your domain. You need to validate that your SPF, DKIM, and DMARC records are correctly configured across all services. You need to monitor for failures that indicate problems with legitimate email flow or signs of spoofing attempts.

Red Sift OnDMARC provides this visibility through comprehensive DMARC reporting and analysis. The platform aggregates reports from receiving servers worldwide, showing exactly which sources are sending email using your domain and whether they're passing or failing authentication checks.

This intelligence lets you identify misconfigured services before they cause email delivery problems. It reveals unauthorized sources attempting to spoof your domain. It guides you through the process of moving from monitoring to quarantine to reject policy without disrupting legitimate business communications.

For Office 365 customers with complex routing, OnDMARC integrates directly with your infrastructure to ensure authentication works correctly across hybrid environments. The platform identifies gaps in your configuration and provides specific remediation steps for your setup.

Understanding your current authentication status is the first step toward protection. Red Sift provides free tools to help organizations assess their exposure:

Red Sift Investigate allows you to test whether your email flow complies with authentication standards. Send a test email and receive detailed analysis of how your messages are authenticated and what receiving servers see when evaluating your domain.

Radar Lite checks your domain's overall security posture, identifying weaknesses in DNS configuration, certificate management, and email authentication that attackers could exploit.

These tools provide immediate insight into vulnerabilities that sophisticated campaigns like Tycoon 2FA target. If your organization hasn't reached DMARC reject or if you're unsure whether your authentication is properly configured, now is the time to investigate.

Microsoft's warning about Tycoon 2FA and similar campaigns demonstrates how quickly attackers adapt to exploit weak authentication. Office 365 customers with complex routing configurations face particular risk, but any organization without proper DMARC implementation remains vulnerable.

Reaching reject policy protects your organization from phishing attacks that impersonate your domains. It protects your customers and suppliers from receiving fraudulent emails that appear to come from you. It prevents the credential theft that enables secondary attacks like Business Email Compromise.

Red Sift OnDMARC provides the visibility, guidance, and monitoring needed to implement authentication correctly across your entire email infrastructure and maintain protection as your environment evolves.

If your organization hasn't reached DMARC reject or if you're running complex email routing that might have authentication gaps, the time to address this is now.