Phishing Campaigns Exploiting Domain Spoofing and Complex Routing
Threat actors have intensified phishing operations by leveraging complex email routing techniques and exploiting domain misconfigurations to successfully spoof trusted brands. These campaigns manipulate email infrastructure weaknesses, allowing attackers to send convincing phishing emails that appear to originate from legitimate domains, thereby increasing the likelihood of user engagement and credential compromise. Security researchers have observed that such tactics are being used to bypass traditional email security controls, making detection and prevention more challenging for organizations.
During the holiday season, attackers combined these advanced spoofing methods with social engineering, sending emails that mimic Docusign notifications and Christmas-themed documents to exploit user trust and seasonal distractions. Victims are redirected through multiple hosting platforms before landing on credential harvesting sites, and a secondary wave of attacks targets personal financial data through fake loan application forms. The campaigns demonstrate a sophisticated use of both technical and psychological tactics to maximize the impact on both corporate and individual targets.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Microsoft discloses domain spoofing via routing misconfigurations
On January 6, 2026, Microsoft published research warning that phishing actors were exploiting complex routing techniques and email misconfigurations to spoof legitimate domains and bypass traditional defenses. The company also outlined mitigations including stricter SPF/DMARC enforcement, proper connector configuration, and direct MX routing to Microsoft 365 where possible.
Forcepoint X-Labs identifies and analyzes holiday phishing infrastructure
Forcepoint's X-Labs analyzed the infrastructure and threat chain behind the holiday phishing surge, documenting how the campaigns chained credential harvesting with identity-theft questionnaires across multiple platforms. The research established the attacks as a coordinated effort designed to maximize data theft.
Holiday phishing wave uses DocuSign spoofing and fake loan forms
During the 2025 Christmas and New Year holiday season, attackers launched coordinated phishing campaigns that spoofed DocuSign notifications and used fake loan application workflows to harvest credentials, identity data, and banking information. Victims were redirected through multiple stages and additional fraudulent sites to maximize monetization and follow-on scams.
Microsoft blocks 13 million Tycoon 2FA-linked phishing emails
In October 2025, Microsoft reported blocking more than 13 million malicious emails associated with the Tycoon 2FA phishing-as-a-service platform. The activity highlighted the scale of campaigns using adversary-in-the-middle techniques and MFA bypass in routing-gap phishing operations.
Phishing campaigns exploiting email routing gaps increase
Microsoft Threat Intelligence observed a surge in phishing attacks beginning in May 2025 that abused misconfigured MX records, weak SPF/DMARC settings, and complex mail routing to make messages appear to come from inside targeted organizations. The campaigns used lures such as HR notices, password resets, shared documents, voicemail alerts, and fake invoices to steal credentials or enable fraud.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
Phishing-Angreifer setzen vermehrt auf E-Mail-Routing-Lücken
csoonline.com
Open sourceHackers Exploited Routing Scenarios and Misconfigurtions to Effectively Spoof Organizations
cybersecuritynews.com
Open sourceMicrosoft Warns Misconfigured Email Routing Can Enable Internal Domain Phishing
thehackernews.com
Open sourceMicrosoft warns of a surge in phishing attacks exploiting email routing gaps
csoonline.com
Open sourceMisconfigured email routing enables internal-spoofed phishing
securityaffairs.com
Open sourceMisconfigured email routing enables internal-spoofed phishing
securityaffairs.com
Open sourcePhishing actors exploit complex routing and misconfigurations to spoof domains
microsoft.com
Open sourceChristmas Phishing Surge Chains Docusign Spoofing with Identity Theft Questionnaires
cybersecuritynews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Phishing Campaigns Exploiting Trusted Brands and Services
Threat actors have intensified their use of phishing campaigns by impersonating well-known brands and trusted online services to deceive victims and steal sensitive credentials. In one campaign identified by the Cofense Phishing Defense Center, attackers targeted individuals in social media and marketing roles by sending fake job application emails that appeared to originate from major companies such as Red Bull, Tesla, Google, and Ferrari. These emails used convincing language and branding, including up-to-date logos and tailored subdomains, to increase their legitimacy and lure recipients into clicking malicious links. The attackers further enhanced the credibility of their messages by spoofing the sender address to appear as if it came from a legitimate domain, such as Xero, which has been abused in previous phishing incidents. The phishing process often began with a CAPTCHA page to create a sense of security before redirecting victims to fraudulent login pages designed to harvest credentials. This approach demonstrates a sophisticated understanding of social engineering tactics and the value of resume and personal information in targeting specific job seekers. In a separate but similarly themed incident, a Malwarebytes employee was targeted by a phishing email that impersonated 1Password, a popular password manager. The email falsely claimed that the recipient's 1Password account had been compromised and urged immediate action, including changing the account password and enabling two-factor authentication. The message mimicked legitimate security alerts, referencing 1Password's Watchtower feature, but included subtle red flags such as a sender address not associated with 1Password and a malicious link disguised as a legitimate action button. The phishing link directed users to a typosquatted domain, onepass-word[.]com, rather than the official 1Password website. Interestingly, the email's 'Contact us' link routed through a legitimate support page but used a redirect service, further complicating detection. The use of Mandrillapp, a transactional email delivery service, added another layer of apparent legitimacy to the phishing attempt. Both campaigns highlight the increasing sophistication of phishing attacks, with threat actors leveraging trusted brands and services to bypass security filters and exploit user trust. The attackers' use of brand-specific subdomains, authentic-looking graphics, and familiar communication styles makes these phishing emails particularly convincing. By targeting individuals with tailored messages, such as job seekers or users of specific online services, the campaigns increase the likelihood of successful credential theft. The abuse of legitimate infrastructure, such as Xero's email services and Mandrillapp, demonstrates how attackers can exploit trusted platforms to evade detection. Security teams are advised to educate users about the signs of phishing, including checking sender addresses, scrutinizing URLs, and being wary of urgent requests for sensitive information. Organizations should also monitor for abuse of their brand in phishing campaigns and work with email providers to block malicious domains. The incidents underscore the need for robust email security solutions and ongoing vigilance against evolving social engineering tactics. As phishing campaigns continue to evolve, both individuals and organizations must remain alert to the latest techniques used by cybercriminals to compromise accounts and steal valuable data.
Mar 21, 2026
Credential Phishing Campaigns Exploiting E-Signature and Note-Sharing Platforms
A widespread phishing campaign has targeted over 6,000 organizations across multiple sectors by impersonating trusted digital document platforms such as SharePoint and DocuSign. Attackers crafted emails that closely mimicked legitimate notifications, using authentic-looking subject lines, formatting, and logos to deceive recipients. The phishing links were obfuscated through services like Mimecast, Bitdefender, and Intercom, making them appear trustworthy and bypassing security filters. The primary objective was to lure users into credential theft pages, with industries such as consulting, tech, real estate, healthcare, and government being heavily targeted due to their reliance on document exchanges. In a related tactic, threat actors have begun abusing the NoteGPT platform, an AI-powered note-sharing service, to host malicious files and further disguise phishing attempts. Victims receive emails that appear to be secure document notifications from familiar brands like Microsoft OneDrive, but the links redirect to NoteGPT-hosted phishing pages. These emails often spoof legitimate company addresses and use plain, routine subject lines to avoid suspicion. Once users attempt to access the fake documents, they are prompted to enter their credentials, which are then harvested by the attackers. Both campaigns highlight the increasing sophistication of phishing operations leveraging trusted platforms and services to evade detection and compromise professional accounts.
Mar 21, 2026
Phishing Campaigns Evade Detection by Abusing AI and Trusted Email Security Controls
Security researchers reported multiple **phishing evasion** techniques designed to defeat modern email and AI-assisted defenses rather than relying only on traditional lure quality. One campaign analyzed by KnowBe4 used **graymail-style content padding** and extreme whitespace insertion to manipulate NLP-based email security tools, placing benign promotional text, legitimate signatures, and trusted links far below the visible phishing lure so scanners would weigh the message as less malicious. A separate LevelBlue-tracked trend showed attackers abusing enterprise **URL rewriting** and *Safe Links*-style protections by sending phishing through compromised accounts, causing security gateways to generate trusted wrapped URLs that could then be reused in campaigns targeting **Microsoft 365** users. The activity reflects a broader shift toward exploiting the gap between what users see and what automated systems inspect. In the URL-rewriting abuse, operators tied to **Tycoon2FA** and **Sneaky2FA** built multi-layer redirect chains across several trusted vendor domains to obscure final destinations and steal credentials and MFA session cookies through adversary-in-the-middle infrastructure, enabling account takeover, internal phishing, data theft, and sometimes ransomware follow-on activity. Related research from LayerX showed a different but thematically aligned evasion method in which **font rendering and CSS** make webpages display malicious commands to users while AI assistants parsing the underlying HTML see only harmless text, underscoring that attackers are increasingly targeting AI and trust-based inspection layers as part of phishing and social-engineering operations.
Mar 21, 2026