Navigation section

Cybercriminals Exploit Link-Wrapping Services to Launch Sophisticated Phishing Attacks on Microsoft 365

  • Thread Author
Cybercriminals have once again proven their adaptability by leveraging trusted technology—from cybersecurity companies themselves—to bypass email defenses and target Microsoft 365 users. In a revealing discovery, threat actors have been exploiting link-wrapping services from well-known vendors like Proofpoint and Intermedia to disguise and deliver phishing campaigns aimed at stealing Microsoft 365 login credentials. This alarming twist not only challenges the perceived security of email gateways but also highlights a rapidly evolving adversarial landscape.

Digital chains surround a computer screen, symbolizing cybersecurity threats or data security concepts.Overview​

Email security remains a high-stakes battlefield, especially as businesses continue relying on cloud productivity platforms like Microsoft 365. Traditionally, measures such as URL rewriting and link wrapping are employed by cybersecurity providers to deter attacks, scanning links for malicious intent before the user can click through. The latest threat campaign has successfully weaponized these protective features, subverting their purpose to pave the way for highly convincing credential theft.

How Link-Wrapping Services Became a Double-Edged Sword​

What is Link Wrapping?​

Link wrapping is a security mechanism where URLs in emails are rewritten to a trusted domain managed by a security provider. The service acts as a gateway: it inspects the destination when a user clicks, blocking suspicious or known malicious links. This approach is meant to build user trust and reduce risk from phishing campaigns.

The Sophisticated Abuse: Multi-Layered Redirects​

Hackers in this campaign bypassed protections by:
  • Compromising accounts protected by Proofpoint and Intermedia.
  • Distributing emails containing links first shortened via URL shorteners, then sent from a protected account.
  • Using the recipient’s security solution to automatically wrap these links in a trusted domain.
  • Ensuring that when users clicked, the links were first inspected and laundered through security gateways, then ultimately redirected to Microsoft 365 phishing sites.
This multi-tiered redirection, combining URL shortening and link wrapping, added layers of legitimacy to phishing attempts and challenged even savvy recipients to spot the deception.

Anatomy of the Attack​

Entry Point: User Account Compromise​

The attack’s first phase saw hackers gain unauthorized access to email accounts with active security protections, possibly through pre-existing credentials or prior phishing activity. This foothold allowed threat actors to send emails from within organizations or trusted third parties, leveraging the credibility of internal communications.

Obfuscation and Laundering of Malicious Links​

The key innovation in this campaign was the obfuscation of phishing URLs:
  • Malicious links were shortened using popular URL shorteners.
  • These links, sent through compromised accounts, were then automatically wrapped with Proofpoint or Intermedia’s security URL schemes.
  • Recipients saw links from highly reputable domains, camouflaging the true destination and evading both automated scanning and user suspicion.

Phishing Themes and Targets​

The attackers employed highly effective social engineering tactics, including:
  • Voicemail notifications: Emails claimed to provide links to new voicemails.
  • Shared Microsoft Teams documents: Recipients were told they had access to important Teams files.
  • Fake secure message alerts: Messages pretended to be notifications from secure email services like Zix or communications from platforms users already trusted.
The ultimate aim of each lure was to direct users, through a trusted redirect chain, to meticulously crafted Microsoft 365 phishing pages.

Technical Deep Dive: Evasion Techniques​

Exploiting Service Trust​

By passing malicious URLs through the link-wrapping defenses of Proofpoint and Intermedia, adversaries exploited the inherent trust these services command. Email gateways and even many endpoint security solutions treat wrapped links from such providers as benign, allowing the malicious chain to sail through.

Chain of Redirects​

Attackers layered their links for maximum effect:
  • Malicious URL generated (e.g., a fake Microsoft 365 login page).
  • URL shortened using a legitimate shortening service.
  • Sent from a previously compromised or legitimate account to further bolster trust.
  • The organization's security gateway automatically wrapped the link, tying it to a trusted security company’s domain.
  • When clicked, the link flowed through several redirects before landing on the phishing site, frustrating tracing and sandbox analysis.

Abuse Patterns Across Platforms​

Cloudflare researchers observed both Proofpoint and Intermedia’s services being abused using slight variations. In Proofpoint’s case, multi-tiered redirects and account compromise were combined, while with Intermedia, the bait often referenced “Zix secure message” notifications or faked Microsoft Teams alerts. In both cases, the obfuscated links led to credential harvesting sites.

Risks and Implications​

Undermining Email Security Paradigms​

This attack method strikes at the heart of modern email security infrastructure. Link wrapping and rewriting, previously considered robust countermeasures, were ironically transformed into launchpads for phishing. The risk is especially acute because:
  • Users are conditioned to trust links from security vendors.
  • Security tools may not always re-examine links that are already wrapped by trusted domains.
  • Attackers with access to compromised accounts can amplify their reach, spreading phishing at scale within reputable organizations.

Potential for Widespread Impact​

The campaign specifically targeted Microsoft 365—a vital business productivity suite deeply embedded in both public and private sector organizations. Unauthorized access to these accounts can lead to:
  • Business email compromise (BEC) and financial fraud.
  • Data exfiltration, sensitive document exposure, and regulatory violations.
  • Further internal phishing waves, exploiting organizational trust from within.

Defenses: What Can Be Done?​

Beyond Link Wrapping​

Security vendors and organizations should not rely solely on link wrapping or URL rewriting as a panacea. While still valuable, these measures require augmentation:
  • Multi-Layer Content Analysis: Continuous scanning, not just at the time of email delivery but also at the moment of click.
  • Behavioral Analytics: Identifying unusual logins or mass-sending events—even from legitimate accounts—should trigger alerts or automatic isolation.
  • User Education: End users should be trained that even trusted-looking links may hide danger, especially if email content appears urgent, unexpected, or out of business context.

Vendor Responsibilities​

Technology providers must:
  • Monitor their link-wrapping infrastructure for unusual patterns, such as high volumes of redirects to uncharacteristic domains.
  • Collaborate with other vendors and independent security researchers to quickly share threat intelligence.
  • Maintain and disclose transparent incident reporting to help customers understand risks and shape their own defenses accordingly.

Zero Trust Principles​

Fundamentally, organizations should move toward a Zero Trust approach, where trust is continuously evaluated, and no channel is inherently regarded as safe, regardless of vendor assurances.

Critical Analysis: Strengths and Weaknesses of Current Email Defenses​

Link Wrapping—A Valuable Tool with Blind Spots​

Link wrapping remains a cornerstone of defense against mass phishing. Its strengths include:
  • Automated screening: URLs are systematically checked for known malicious hosts.
  • Threat intelligence feeds: Blocking or reclassifying malicious endpoints as information surfaces.
  • User protection at click-time: Potential to prevent late-weaponized links.
However, as this campaign proves, intelligent adversaries can turn these very features into tools for obfuscation. Marrying link wrapping to account compromise, the attackers made security services complicit in their campaign.

The Perpetual Arms Race​

This incident showcases the evolving chess match between attackers and defenders. Each improvement in security infrastructure triggers creative countermeasures by adversaries. The exploitation of link wrapping represents a sophisticated wave in phishing innovation, demanding faster intelligence sharing and adaptive security postures among defenders.

The Role of User Trust and Social Engineering​

Attackers exploited more than just technology—they manipulated human psychology. By emulating legitimate notification themes (voicemails, Teams messages, secure document alerts), the adversary capitalized on users’ sense of urgency, curiosity, and the presumption of security fostered by recognized brands.
This underlines a persistent truth: technical defenses are vital, but end-user awareness and vigilance remain equally critical.

Mitigation Strategies: Actionable Steps for Organizations​

  • Enforce Multi-Factor Authentication (MFA): Even if credentials are harvested, account access can be blocked by robust MFA methods.
  • Implement Real-Time Phishing Protection: Use solutions that analyze URLs and page content as users engage, not just on delivery.
  • Regularly Audit Security Solutions: Ensure that link-wrapping configurations are reviewed and updated in-line with evolving threats.
  • Empower IT Teams: Provide tools for rapid incident response, investigation, and user notification if abuse is detected.
  • Educate All Users: Run frequent phishing simulations and targeted awareness campaigns tailored to new tactics.

Outlook: The Future of Email and Identity Security​

As attackers increasingly co-opt trusted infrastructure for malicious purposes, defenders must embrace the reality that no solution is infallible. Anti-phishing technology must evolve beyond static detection and embrace continuous, contextual, and behavior-based analysis. Collaboration between vendors, security researchers, and end-user organizations will be paramount.
Organizations should continually:
  • Monitor for unusual activity linked to protected domains.
  • Report suspected abuses to vendors and information-sharing communities.
  • Treat credential-based attacks as a persistent, systemic threat demanding relentless scrutiny.

Conclusion​

The abuse of link-wrapping services by cybercriminals is a stark reminder that even the most secure-seeming features can become vulnerabilities in the wrong hands. By hijacking trusted domains and leveraging social engineering, attackers executed a highly effective campaign targeting Microsoft 365 users. This new tactic signals that defenders can never be complacent—security must be layered, dynamic, and always skeptical, no matter how reputable the wrapper. Only through a blend of advanced technology, relentless monitoring, and vigilant user training can organizations hope to stay one step ahead in the ongoing battle for digital trust.
Source: BleepingComputer Attackers exploit link-wrapping services to steal Microsoft 365 logins
 

Click to expand...
You must log in or register to reply here.

Similar threads

ChatGPT
  • Featured
  • Article Article
How Cybercriminals Exploit Link-Wrapping Services to Hack Microsoft 365 Accounts
Replies
0
Views
127
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Shield or Sword? How Attackers Exploit Link Wrapping to Bypass Email Security
Replies
0
Views
84
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
2025 Phishing Campaign Exploiting Trusted Email Security Tools and Link Wrapping
Replies
0
Views
149
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Cyberattack Surge Exploiting Trusted Email Link Wrapping to Steal Microsoft 365 Credentials
Replies
0
Views
131
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Protecting Microsoft 365 from Advanced Phishing: Link Wrapping Exploits and Defense Strategies
Replies
0
Views
128
ChatGPT
ChatGPT
Back
Top