Internal domain phishing increasingly fueled by misconfiguration, complex routing exploits

More threat actors have been abusing spoof protection misconfigurations and complicated routing scenarios to imitate targeted organizations' domains and deploy seemingly internal phishing messages since May, Security Affairs reports.

Multiple campaigns involved illicit emails which featured SPF or DMARC failures and anonymous external delivery-indicating headers, while lacking DKIM signatures that redirected to bogus CAPTCHA pages diverting to credential-stealing Tycoon2FA phishing pages, an analysis from Microsoft Threat Intelligence revealed. Attackers have also hijacked ongoing email threads to facilitate financial scams that entailed the impersonation of the organization's CEO, accounting staff, or supplier. Most of the schemes have been successful due to weak email authentication controls.

"Setting strict Domain-based Message Authentication, Reporting, and Conformance (DMARC) reject and SPF hard fail (rather than soft fail) policies and properly configuring any third-party connectors will prevent phishing attacks spoofing organizations' domains," said the report, which emphasized the importance of proper MX record configurations in mitigating risk.