The blog noted that while the attack vector isn’t brand new, the exploitation has picked up significantly since mid-2025, delivering phishing lures ranging from password resets to shared documents.
“Internal” routing and weak policies are at fault
The fault is with how receiving mail servers interpret incoming messages. When MX records lead to complex mail paths, such as on-premises systems or third-party relays before Microsoft 365, standard spoof protection checks like SPF hard-fail and strict DMARC enforcement may not be applied correctly.
In these cases, a phishing email can arrive with the recipient’s own address in both the “To” and “From” fields, a spoofed message that appears internal at a glance. In some cases, attackers change the sender name to make the message appear more convincing, while the “From” field is set to a valid internal email address.
