Attackers exploit misconfigured email routing and weak spoof protections to send internal-looking phishing emails for credential theft and scams.