Cyberattack Surge Exploiting Trusted Email Link Wrapping to Steal Microsoft 365 Credentials

A new wave of cyberattacks has exposed a dangerous flaw in trusted email security services, as hackers have successfully exploited protective link-wrapping features to orchestrate large-scale phishing campaigns targeting Microsoft 365 logins. By hijacking the mechanisms designed to keep users safe, attackers are turning powerful corporate defenses into potent weapons, dramatically increasing the success rate of credential theft and data breaches across enterprises worldwide.

---

Background: The Evolution of Phishing Attacks​

Email has long stood as both the backbone of business communication and a prime avenue for cybercrime. As organizations moved to cloud-based suites like Microsoft 365, attackers sharpened their focus, knowing that one set of stolen credentials could unlock a trove of sensitive corporate data.
To defend against this threat, security vendors such as Proofpoint and Intermedia pioneered link-wrapping technologies. These solutions rewrite every URL within an email, substituting them with branded, security-verified addresses that route clicks through malware detection systems. In theory, this means malicious links are blocked before they ever reach end users.
However, this very technology has become the latest avenue of attack.

---

Anatomy of the Link-Wrapping Exploit​

How Link-Wrapping Works​

At its core, link-wrapping takes any URL embedded in an incoming email and replaces it with a custom, security-service-generated link. When clicked, the user's traffic is routed through the security platform—which scans the link, assesses threat intelligence, and approves or blocks access based on current risk models. This process was designed to instill confidence: seeing a Proofpoint or Intermedia domain should indicate a safe destination.

The Attackers’ Playbook​

This illusion of safety became a vulnerability. According to recent research from Cloudflare’s Email Security team, attackers gained unauthorized access to accounts already protected by these services—likely through earlier phishing or brute-force attacks. With control of a legitimate, trusted account, they sent out waves of emails from within the network.
Here's where the sophistication emerges:

• Initial Link Obfuscation: Attackers first shortened their phishing URLs using public URL shorteners, masking their true destination.
• Link Laundering via Security Service: Sending these disguised links from a compromised account, the email security service automatically wrapped them in a trusted domain, laundering the final URL into a security-vetted, branded link.
• Multi-Tiered Redirect Chains: The links, appearing secure and originating from internal or trusted sources, passed seamlessly through email gateways and spam filters.
• Targeted Lures: Victims received believable messages—fake voicemail alerts, alleged Microsoft Teams notifications, or “Zix” secure message prompts.
• Final Redirect: On clicking, users landed not on a benign destination, but a meticulously crafted Microsoft 365 phishing page, where entering credentials delivered them directly to the attacker.

This elaborate process created a chain that stymied traditional analysis and bypassed many layers of corporate cybersecurity defenses.

---

Real-World Examples and Tactics​

Impersonation Scenarios​

Attackers tailored their messages to fit familiar workflows:

• Voicemail Notifications: Users received emails suggesting a new voicemail was waiting, complete with corporate branding and personalized details.
• Microsoft Teams Alerts: Some targets saw messages indicating a shared document or new chat notification within Teams, leveraging the urgency and ubiquity of collaboration tools.
• Secure Message Prompts: Others encountered notifications allegedly from trusted services like Zix, inviting them to view sensitive legal or financial documents.

In each case, the delivered link looked exactly as a security-conscious user would expect—hosted on trusted, scanned, and approved domains.

Reply Button Exploits​

A secondary facet involved weaponizing the “Reply” button itself. For instance, clicking to reply within the phishing email also redirected users to a credential-harvesting page, exploiting even cautious behavior.

---

Why These Attacks Are So Dangerous​

Authenticity Through Laundering​

The crux of this campaign’s success lies in its weaponization of trust. Because links are now coming from security brands like Proofpoint and Intermedia—along with originating from known, authorized corporate accounts—standard user education about suspicious links or unknown senders is rendered ineffective.
Many security teams rely heavily on their email gateways as the last and first lines of defense. When these systems affirm the safety of a message, the odds of a user second-guessing the payload plummet.

Bypassing Traditional Defenses​

Legacy spam filters and Secure Email Gateways (SEGs) are increasingly outsmarted:

• Internal Sender: Messages come from compromised, internal, or partner accounts, less likely to be flagged.
• Trusted Domains: Wrapped URLs use domains that, in any other scenario, would denote legitimacy.
• Multi-step Redirection: Each step in the redirect chain further obscures the final phishing destination, making automated detection and sandbox analysis less effective.

---

Technical Analysis: Strengths Abused, Weaknesses Exposed​

Link Wrapping—The Double-Edged Sword​

Strengths:

• Preserves audit trails and enables granular tracking of user clicks
• Automatically screens destinations against large threat intelligence databases
• Increases user trust in email communications originating from protected domains

Weaknesses:

• Compromised Accounts Invalidate the Chain: Once an account under a trusted domain is breached, all outbound messages inherit the veneer of legitimacy.
• Redirects Bypass Analysis: Each sequential redirect—involving URL shorteners and multiple security services—confounds static scanning tools and threat analyzers.
• Security Fatigue: Users exposed to constant “legitimate” prompts from trusted domains are more likely to lower their guard over time.

---

The Ripple Effect: Impact on Enterprises and Users​

Amplified Risk for Microsoft 365​

Microsoft 365, as the dominant productivity suite globally, is a lucrative target. With a single set of credentials, attackers can access:

• Email and calendar data (Outlook)
• Corporate documents (OneDrive, SharePoint)
• Team communications (Microsoft Teams)
• Potentially sensitive business intelligence and financial records

Successful compromise can precipitate lateral movement within networks, ransomware deployment, and large-scale business email compromise (BEC) fraud.

Undermining User Confidence​

Repeated incidents where trusted security mechanisms are weaponized threaten to undermine user confidence in all digital security tools. As users become less able to differentiate safe notifications from actual threats, the potential for error rises steeply.

Complicating Incident Response​

Traditional incident response frameworks assume traffic routed through known, branded security service domains can be deprioritized as ‘safe’. This incident flips that assumption and forces security teams to treat all email traffic—including those with certain security service wrappers—with renewed suspicion.

---

Defensive Strategies Against Hijacked Email Security Features​

Rethinking Email Security Paradigms​

Enterprises and SMBs alike must recognize that no single security control is bulletproof. Defense-in-depth approaches, where security protections overlap, are crucial to blunting similar campaigns in the future.
Key recommendations include:

1. Zero Trust Principles​

Adopting a Zero Trust model means treating every interaction—internal or external, wrapped or direct—with a degree of skepticism. This involves:

• Continuous monitoring of user behavior after login
• Dynamic risk assessments factoring in unusual access times, locations, or device fingerprints
• Automatic re-authentication for sensitive actions

2. Multi-Factor Authentication (MFA)​

Even if credentials are phished, robust MFA can stymie attackers. However, these attacks increasingly attempt to intercept MFA requests or trick users into approving pushes. Modern adaptive MFA methods—such as device-bound authentication and biometric factors—should be prioritized.

3. Advanced Threat Intelligence and Behavioral Analysis​

Security solutions that analyze behavior over time—rather than relying solely on static threat databases—can detect anomalies like bulk email transmission or odd login geography, prompting immediate containment.

4. User Awareness 2.0​

Training needs to evolve beyond 'don’t click suspicious links.' Users must be briefed on attack chains that abuse trusted security features—and encouraged to verify even benign-appearing prompts, particularly for sensitive actions. Regular simulated phishing tests, focused on exploiting current trends like link-wrapped URLs, can help condition vigilance.

5. Incident Response Readiness​

Rapid response capabilities and prebuilt playbooks for credential compromise ensure that, when a breach is detected, containment and remediation happen in minutes, not days.

---

Future Directions for Email Security Vendors​

Closing the Loop on Account Compromise​

Vendors need to innovate beyond static link scanning. Forward-thinking features could include:

• Signaling for Compromised Accounts: Automatically detecting and disabling outbound email capabilities for accounts exhibiting anomalous behavior, even before administrator intervention.
• Context-Aware Link Analysis: Dynamic analysis that weighs the risk of a link based on the sending account’s recent behavior and internal/external origination.
• Real-Time Link Reassessment: Continuous rescanning of historic, wrapped links, so that if a target destination’s reputation worsens post-delivery, the user is blocked from accessing dangerous resources—even days or weeks later.

Transparency and Admin Tools​

Providing IT admins with clear forensic logs and context for flagged links—including each stage of redirect and the original destination—empowers faster detection and stoppage of ongoing campaigns.

---

The Broader Implications: What This Means for Cloud Security​

The compromise of email security features is part of a broader trend: attackers increasingly target not just end users or applications, but the infrastructure and trusted middleware that underpins modern cloud operations. This leapfrogs many perimeter-based assessments and highlights the limitations of traditional 'trust, but verify' strategies.
It’s a wakeup call for enterprises: security is never static. Even the most advanced, reputable security defenses can be weaponized when basic principles—like privileged account hygiene and layered security—are neglected.

---

Conclusion: Trust, But Continually Verify​

The recent campaign exploiting Proofpoint and Intermedia’s link-wrapping technology marks a significant escalation in the tactics used by threat actors. By transforming the tools of defense into engines of attack, these hackers have shifted the goalposts for what constitutes a secure email ecosystem.
Organizations must adapt—moving beyond static defenses to dynamic, context-rich, and behavior-oriented security strategies. For end users, the message is clear: trust must be continually earned, not passively granted by a branded link or familiar-looking notification.
As attacks continue to evolve, so too must our approach, blending technical sophistication with relentless vigilance and a healthy skepticism of anything—even a security service—that claims to guarantee safety on its own.

---

Source: Tom's Guide Email security features are being hijacked to steal Microsoft 365 logins — what you need to know