Threat actors are leveraging complex routing scenarios and misconfigured spoof protections to send phishing emails that appear to be internal communications. These attacks, which have increased since May 2025, use various lures like voicemails, shared documents, and password resets to conduct credential phishing and financial scams. The campaigns, often using PhaaS platforms like Tycoon2FA, are opportunistic and target multiple industries. While Microsoft detects most attempts, organizations can further mitigate risks by properly configuring spoof protections and third-party connectors. The attacks do not affect customers whose Microsoft Exchange MX records point to Office 365, as they are protected by built-in spoofing detections.