Advanced Multi-Layer Redirect Phishing Attacks on Microsoft 365: How to Protect Your Organization

In a rapidly evolving cybersecurity landscape, defenders continually play catch-up as threat actors devise innovative ways to evade detection, exploit trust, and steal sensitive information. A recent revelation by cybersecurity researchers highlights a sophisticated phishing campaign targeting Microsoft 365 users, with attackers leveraging a multi-layered redirect technique that abuses link wrapping services from trusted vendors like Proofpoint and Intermedia. This attack vector—detected over recent months by teams such as Cloudflare Email Security—illustrates the inherent duality in security technologies and spotlights the ongoing arms race between attackers and defenders.

Anatomy of a Multi-Layer Redirect Phishing Attack​

Phishing remains a leading method for credential theft and initial access breaches. What’s notable about this latest campaign is the way it manipulates legitimate features implemented for user safety. Link wrapping, as offered by Proofpoint’s URL Defense and Intermedia, is designed to protect end users by routing all outbound links through a scanning service. When someone clicks a link in their email, the URL is rewritten to go through, for example, urldefense.proofpoint.com, allowing the service to block or allow the destination based on real-time threat intelligence.
In theory, this should be a robust frontline defense: even if a staff member receives a suspicious email, the scanning service should intercept known malicious sites and stop credentials from being phished. Yet the attackers have found gaps in this armor. If a wrapped link hasn’t already been flagged as dangerous at click time—perhaps because the malicious site is newly registered or the infrastructure is rapidly changing—the link is allowed through, bypassing the very protection intended.
Cloudflare’s research details how attackers gain unauthorized access to email accounts that already use link wrapping. This is a crucial escalation: any malicious URL sent from a compromised account is automatically rewritten with the trusted Proofpoint wrapper. What’s more, attackers add another layer of obfuscation by cloaking the underlying malicious destination with a URL shortener like Bitly or TinyURL. The typical attack chain now looks like this:

• The attacker creates a shortened, obfuscated link pointing to a phishing page.
• They send this link from a Proofpoint-protected email account.
• Proofpoint’s service rewrites the already-obscured link, but unless the hidden destination is known as malicious at that moment, it passes through.
• The recipient, seeing a familiar and trusted wrapper (e.g., urldefense.proofpoint.com/v2/url?u=<malicious_website>), is far more likely to click through and become a victim.

Thus, the traditional advice to “hover over links” no longer helps: all the URLs are routed through trusted domains, making the dangers invisible to the naked eye and even to many technical controls.

Social Engineering: Masquerading as Trustworthy Communications​

Phishing is undeniably a social engineering game, and these campaigns are no exception. Attackers persistently exploit the branding and urgency of commonly used business tools—Microsoft 365, Teams, Zoom—to trick users into action. According to the Cloudflare and other reports:

• Voicemail Scams: Emails pose as missed call or voicemail notifications, inviting recipients to “listen” to their message by clicking a link (which goes through double-wrapped redirects).
• Document Sharing or Teams Notifications: Messages claim the user has a document awaiting review on Microsoft Teams, or they’ve received an unread message, pushing for an immediate response.
• Teams “Reply” Lures: By impersonating Teams messages—complete with “Reply in Teams” buttons—threat actors capitalize on work-from-anywhere habits.

Everything about these messages is engineered for credibility, triggering a reflexive, habitual click. It’s not just Microsoft branding at play; attackers have recently turned to Zoom lures, sending meeting invitations that redirect through multiple domains before leading to a fake page. After the victim clicks, they may encounter a screen mimicking a “meeting connection timed out”—presenting a knowledgeably faked UI—prompting for credentials to “rejoin.” The cycle ends with credentials and additional data being exfiltrated, often via channels like Telegram, to threat actors.

Technical Innovation: Exploiting SVG and Multi-Stage Infection Chains​

Modern phishing isn’t limited to text and hyperlinks. Another troubling trend is the weaponization of Scalable Vector Graphics (SVG) files. Unlike static JPEG and PNG images, SVGs are XML-based and can contain embedded JavaScript, hyperlinks, and interactive elements.

• SVG as an Infection Vector: Attackers embed malicious code inside SVG attachments or image links, which evade detection by many legacy email filters that expect threats in executables or scripts but not in image files.
• Multi-Stage Attacks: The SVG file may lead users to intermediate sites, harvest device/browser fingerprints, or silently initiate download of further malware.

According to the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC), this approach allows phishing messages to fly under the radar, especially since SVGs can appear visually harmless and frequently used in logos and icons within corporate communications.

Bypassing Advanced Defenses: Outpacing AI and Threat Intelligence​

A key challenge for defenders is the tight “innovation loop” in phishing techniques. Link wrapping services rely on known threat databases and AI-powered anomaly detection. However, many attackers exploit speed and novelty:

• Speed of Infrastructure Change: They rapidly spin up new phishing domains or switch destination URLs inside link shorteners, always just ahead of detection.
• Abuse of Trust: By sending from previously compromised accounts already inside an organization, campaigns can sidestep security controls tuned to flag external threats or new senders.
• Evading User Awareness: Because all links are rewritten—including internal, legitimate links—users may lose the ability to distinguish genuine company communications from phishing attempts.

This is compounded by the blending of technical sophistication and psychological manipulation, increasing the campaign’s odds of success.

Evaluating the Defense: Strengths and Blind Spots in Link Wrapping​

Notable Strengths​

• Real-time Scanning: Services like Proofpoint scan URLs at click time, protecting against static blocklists and catching delayed payload activations.
• Analytics and Forensics: Wrapped links can be logged, enabling organizations to study click patterns, detect anomalous activity, and trace the lifecycle of an attack.
• Policy Enforcement: Organizations can define rules—blocking entire domains or categories—beyond traditional virus scanning.

Potential Risks and Limitations​

• Zero-Day Blind Spots: If the malicious destination hasn’t been encountered previously, or is unique to the campaign, it can slip through.
• Increased Phishing Success: As Cloudflare researchers emphasize, the abuse of trusted, familiar wrappers “significantly increases the likelihood of a successful attack” because users let their guard down.
• False Sense of Security: Over-reliance on automated scanning may erode user vigilance and cause organizations to deprioritize frontline employee training.
• Challenges to Incident Response: Multi-layer redirect chains can complicate digital forensics; it’s tricky to trace the original payload or retroactively block access.

Implications Beyond Microsoft 365: The Expanding Attack Surface​

While the current escalation focuses on Microsoft 365, Teams, and Zoom, the underlying tactics are vendor-agnostic. Any platform using third-party link wrapping or scanning, whether for email security or workflow automation, could be similarly abused. This has ripple effects for all cloud-centric organizations that rely on seamless, cross-app integrations.
Attackers have also demonstrated an affinity for exfiltrating compromised data through encrypted, difficult-to-monitor channels—like Telegram or dark web paste sites—further complicating detection. According to a Cofense report, these channels now collect not just credentials but geolocation data (IP address, country, region) upon every successful phish.

Recommendations: Building a Multi-Layered, Adaptive Defense​

To respond to these multi-tiered, dynamic threats, security professionals and IT administrators are urged to consider several layered defenses:

Harden Technical Controls​

• Augment Link Wrapping: Combine URL scanning with additional context-aware protections, such as browser isolation, advanced sandboxing, and integration of threat intelligence sharing.
• Restrict URL Shortener Use: Filter or block the use of popular URL shorteners, especially in incoming email.
• Monitor for SVG and Unusual Attachments: Update scanning engines to parse and inspect SVG/XML files, looking for embedded scripts or external resource calls.

Empower and Educate End Users​

• Ongoing Phishing Simulations: Regular, realistic campaigns help reinforce skepticism and teach users to spot subtle cues.
• Incident Reporting Culture: Make it easy for suspicious emails to be flagged and investigated, reducing dwell time and escalation potential.
• Awareness of Link Wrapping Limitations: Communicate to staff that even “safe-link” branded URLs aren’t inherently trustworthy, especially if compelled to enter credentials unexpectedly.

Enhance Incident Detection and Response​

• Trace the Redirect Chain: Develop log correlation strategies that can parse multi-layered URLs and map redirected endpoints.
• Automate Threat Sharing: Leverage collective intelligence—E.g., reporting newly discovered redirect patterns to security partners and industry groups.
• Adaptive Policy Updates: Remain flexible with domain and sender whitelists/blacklists as attackers evolve their infrastructure.

Critical Analysis: The Cat-and-Mouse Game Endures​

This ongoing escalation between attackers and defenders is emblematic of broader cybersecurity trends. On one side, security solutions innovate by layering context and intelligence onto everyday workflows. On the other, attackers subvert those very features, turning trust and convenience into weapons. The abuse of link wrapping isn’t a failure of technology—rather, it’s a stark demonstration of the difficulty in creating truly “future-proof” security measures.
The central risks lie in false confidence and the ever-present threat of social engineering. Technical controls provide a solid foundation, but cannot fully replace adaptive human intuition. As phishing techniques grow in complexity, the balance between usability and security will remain a contentious frontier.
It is also important to flag that while direct attribution of attacks and complete visibility into their impact requires access to closed, proprietary data and incident disclosures, the core claims in Cloudflare’s research and coverage by New Jersey cyber authorities are corroborated by parallel reports from other major cybersecurity vendors. Nevertheless, readers are advised to treat anecdotal victim numbers, campaign success rates, and precise chain-of-custody details with some caution, as attackers routinely vary their methods and campaign footprints.

Looking Ahead: The Future of Defensive Innovation​

What does the road ahead look like? Expect to see increased integration of behavioral analytics and AI-based anomaly detection, enabling more proactive identification of phishing TTPs (tactics, techniques, and procedures). However, as always, these will introduce their own risks—false positives, user fatigue, and sophisticated attacker evasion.
Organizations must view every new security feature with a critical, adversarial mindset. The story of multi-tier redirect phishing is a clear warning: features built to enhance safety can become liabilities when trust is misplaced or monitoring lags.
In conclusion, the discovery of multi-layered redirect tactics in Microsoft 365 phishing underscores the importance of a holistic security posture. Defenders must pair technical controls with agile human judgment and recognize that no single layer—however sophisticated—will suffice. Only through relentless adaptation, education, and collaboration can the evolving landscape of phishing be effectively navigated, keeping users and organizations one step ahead in the cat-and-mouse game of cybersecurity.

---

Source: The Hacker News Experts Detect Multi-Layer Redirect Tactic Used to Steal Microsoft 365 Login Credentials