An alarming new wave of cybercrime has emerged, leveraging the very security tools designed to shield organizations from harm. Recent research reveals that phishing actors are now abusing link-wrapping and URL-rewriting services—trusted pillars of enterprise email protection—to sneak malicious links past even the most robust defenses and steal Microsoft 365 credentials on a massive scale. By turning protective mechanisms into vectors of attack, these criminals have once again raised the stakes in the digital security arms race, casting doubt on long-standing trust in automated email threat detection.
The ongoing battle between cybercriminals and defenders has seen a constant tug-of-war of tactics, with attackers regularly finding novel ways to bypass advanced security measures. For over a decade, organizations have leaned on comprehensive email security solutions such as Proofpoint, Cloudflare Area 1, Intermedia, Cisco, Sophos, and others to filter dangerous messages and flag suspicious links before they reach user inboxes. Among the most powerful features are URL-rewriting and link-wrapping: services that replace original links in emails with scanned, protected versions, allowing real-time checking against malicious destinations at click time.
But as this new campaign demonstrates, security technologies can be a double-edged sword. Crime groups have adapted, using compromised accounts and legitimate forwarding to ensure their phishing payloads are processed—and even proactively whitelisted—by platforms meant to defend users.
Key Points from the Statement:
Conversely, cybercriminals increasingly rely on automation and AI themselves, rapidly cycling through thousands of redirectors, generating convincing phishing templates, and optimizing for windows of vulnerability before detection and takedown.
As cybercrime continues its relentless evolution, the security community’s greatest asset is agility—the ability to question old assumptions and refine both technology and process on a continual basis.
Organizations and individuals alike must recognize that trust, when misplaced in automation, can be exploited at scale. By remaining vigilant and proactive, defenders can not only counter today’s phishing campaigns, but also set the stage for a more resilient, adaptive email security landscape.
Source: Research Snipers Phishing Campaign Abuses Link-Wrapping Services to Steal Microsoft 365 Credentials – Research Snipers
Background
The ongoing battle between cybercriminals and defenders has seen a constant tug-of-war of tactics, with attackers regularly finding novel ways to bypass advanced security measures. For over a decade, organizations have leaned on comprehensive email security solutions such as Proofpoint, Cloudflare Area 1, Intermedia, Cisco, Sophos, and others to filter dangerous messages and flag suspicious links before they reach user inboxes. Among the most powerful features are URL-rewriting and link-wrapping: services that replace original links in emails with scanned, protected versions, allowing real-time checking against malicious destinations at click time.But as this new campaign demonstrates, security technologies can be a double-edged sword. Crime groups have adapted, using compromised accounts and legitimate forwarding to ensure their phishing payloads are processed—and even proactively whitelisted—by platforms meant to defend users.
Anatomy of the Attack
Step-by-Step Tactics Revealed
The latest phishing operation involves a sophisticated multi-step approach that demonstrates both patience and technical expertise:- Compromising Email Accounts
Attackers first gain access to legitimate mailboxes, often through previously successful phishing or via purchase on the dark web. These compromised accounts are already secured—or appear so—by trusted email security providers. - Link Shortening and Wrapping
The attackers shorten their malicious URLs using common services (such as Bitly or TinyURL) to obscure the target destination. Then, these new links are embedded within phishing emails sent from the compromised accounts. - Security Service Wrapping
As the emails travel through defenses like Proofpoint or Intermedia, the links are automatically rewritten to point to secured, trusted domains managed by these services. This process ordinarily scans for cyber threats and blocks known malicious domains, but in this case it effectively “endorses” the enclosed link because the immediate redirection checks pass. - Delivery and Deceptive Appearance
The result is an email containing a trustworthy-appearing URL pointing to a security provider’s domain—often with language suggesting voicemail alerts, document shares, encrypted messages from brands like Zix, or Microsoft Teams notifications. Traditional security systems, seeing the link rewritten to a reputable provider, allow the message through. - Final Phishing Payload
When the user clicks, the wrapped URL faithfully redirects to a phishing page: a meticulously forged Microsoft 365 login, indistinguishable from the real thing. Users, conditioned to trust such links, may unwittingly provide corporate credentials directly to attackers.
Weaponizing Trust and Familiarity
What sets this campaign apart is the way it weaponizes the trust that users and systems have in providers like Proofpoint or Sophos. Crafty subject lines (“Neue Voicemail”, “Safe document for calling”, “New message in Microsoft Teams”) exploit the expectation that corporate communications channeled through these wrappers must be safe. Attackers further enhance believability by spoofing notification formats or referencing secure messaging brands already prevalent in enterprise settings.Abuse of Security Infrastructure
Turning Protection into Vulnerability
The link-rewriting model was not only designed as a shield but as a dynamic system to stay ahead of evolving threats. Unfortunately, its openness—especially when combined with compromised internal accounts—makes it susceptible to creative abuse:- Forwarding Chains: Attackers exploit open forwarding rules or self-compromise to ensure emails traverse security services in a way that guarantees URL rewriting.
- Automated Whitelisting: Since many organizations whitelist their security provider’s domains at multiple layers (gateway, endpoint, SIEM integration), phishing emails bearing these links are routinely delivered without suspicion.
- Multiple Services Abused: According to Proofpoint and other vendors, attackers are not targeting one service but several—including industry leaders—broadening the range of affected organizations.
Why Traditional Defenses Fail
Conventional email filtering relies on static blocklists, sandboxing, and heuristic scans for known payloads. However, the routes attackers use—wrapping legitimate (albeit eventually redirecting) links, embedding those within scanned, trusted domains—create a smokescreen that most filters cannot penetrate without introducing high rates of false positives or operational disruption.The Illusion of Safety: Deceptive UX and Exploited Brands
Realistic Phishing Pages
Upon clicking, users are presented with counterfeit Microsoft 365 login pages crafted down to the smallest detail. These sites mimic not only Microsoft’s branding but also session flow—requesting multifactor authentication, displaying organization-specific imagery, and using localized languages depending on the intended victim.Familiar Communication Themes
The campaign deploys psychological triggers proven to prompt quick action:- Voicemail Notification: “Neue Voicemail” or “You have a new voicemail from [Contact].”
- Document Sharing: “Safe document for calling,” invoking urgency and familiarity.
- Collaborative Tools: “New message in Microsoft Teams,” leveraging near-universal usage of Teams in professional settings.
- Secure Messaging References: “You have a secure ZIX message,” piggybacking on the reputation of established encryption vendors.
Proofpoint and Industry Response
Vendor Acknowledgement and Mitigation
After researchers publicized the abuse of link-wrapping technologies, Proofpoint, a major player in this space, provided a transparent, detailed statement acknowledging the threat. The company confirmed that attackers are exploiting “URL extensions and URL protection features in phishing campaigns.” They noted that they have observed these techniques across several vendors, not just within their own services.Key Points from the Statement:
- Proofpoint’s AI-powered engines now employ behavioral analysis to detect anomalous patterns, such as legitimate domains redirecting to first-time-seen destinations after traversing forwarding chains.
- When any recipient—Proofpoint customer or not—reports or triggers a block of the final malicious destination, the end URL is retroactively blocked for all users caught in the forwarding loop.
- The company asserts that it is possible to disrupt entire attack chains at scale when the destination, not just the wrapper, is blacklisted.
Challenges in Real-Time Blocking
One of the fundamental difficulties is that URL-rewriting and link-wrapping operate with the intent of scan-at-click—the assumption that redirection targets will always remain consistent and predictable. Attackers exploit timing windows, rapidly switching URL resolution or only activating malicious content after delivery, outpacing standard scan cycles. Proofpoint and its peers continue to augment AI and behavioral analytics, but the sophistication of attackers raises concerns about how quickly defenses can pivot.Wider Security Implications for Enterprises
Rethinking Trust in Automated Defenses
Organizations have long relied on the set-and-forget approach provided by security service integrations. Whitelisting the domains of trusted providers is a norm, as it reduces operational friction and false alarms. However, this incident demonstrates that over-reliance on secondary URL filtering or “trusted” wrappers generates a new blind spot—one now fully leveraged by determined adversaries.IT Admin Recommendations
Security teams are urged to respond with:- Re-evaluation of Whitelists: Remove unconditional whitelisting for security provider domains, instead using context-dependent rules.
- Layered Verification: Ensure other forms of security (such as multifactor authentication, endpoint monitoring, and user behavior analytics) operate independently of email filtering vendor trust.
- Employee Education: Reinforce that even security-wrapped URLs and familiar notification formats may be false, especially when prompting credential entry or account action.
- Incident Response Drills: Conduct regular “red team” engagements simulating wrapped-link phishing to uncover process and detection weaknesses.
The Evolving Arms Race: Defender Innovation vs. Adversarial Ingenuity
Leveraging AI and Machine Learning
Both sides of the cyber conflict are investing heavily in artificial intelligence. Security providers are implementing AI-backed behavioral analysis, tracking not only the URLs but also patterns such as “never-before-seen redirection chains,” anomalous account sending histories, and time-based link mutations.Conversely, cybercriminals increasingly rely on automation and AI themselves, rapidly cycling through thousands of redirectors, generating convincing phishing templates, and optimizing for windows of vulnerability before detection and takedown.
Integration with Cloud Platforms
Given the campaign’s focus on Microsoft 365, cloud security posture management (CSPM) tools are essential. These can detect anomalous successful logins, credential stuffing, and atypical OAuth permission grants—even after a phishing compromise occurs. However, detection only after the fact does little to stem initial data loss or business disruption.Risks Beyond Credential Theft: Secondary Threats
From Phishing to Full Compromise
Stolen credentials harvested in these campaigns are often sold or used for:- Enterprise ransomware deployment
- Business email compromise (BEC)
- Lateral phishing (using one compromise to access others)
- Data exfiltration and industrial espionage
The Problem with Open Redirects
Attackers are not strictly reliant on service provider forwarding. The abuse of open redirects—where domains forward traffic without validation—remains a pressing concern. Combining open redirects with link wrapping further complicates efforts to trace and block attack chains in real time.Key Takeaways and Future Outlook
Lessons for Defenders
- No Technology Is Infallible: Every security mechanism can be subverted by determined adversaries. Blind trust in any one layer is a recipe for future breaches.
- Zero Trust Should Extend to Email: Organizations should treat every inbound message—even those bearing URLs from security providers—as potentially hostile until independently verified.
- Security Posture Is a Moving Target: The very tools that once provided effective protection can become the conduit for compromise. Regular audits, red teaming, and a dynamic approach to filtering are essential.
The Outlook for Phishing Defense
The latest abuse of link-wrapping and URL-rewriting by phishing actors represents a tipping point. Security providers now recognize that transparency, rapid AI adaptation, and inter-vendor collaboration are vital. Meanwhile, enterprises must double down on user training, defense in depth, and assuming compromise as a matter of “when,” not “if.”As cybercrime continues its relentless evolution, the security community’s greatest asset is agility—the ability to question old assumptions and refine both technology and process on a continual basis.
Organizations and individuals alike must recognize that trust, when misplaced in automation, can be exploited at scale. By remaining vigilant and proactive, defenders can not only counter today’s phishing campaigns, but also set the stage for a more resilient, adaptive email security landscape.
Source: Research Snipers Phishing Campaign Abuses Link-Wrapping Services to Steal Microsoft 365 Credentials – Research Snipers
