Attackers have found a chillingly effective way to subvert defenses integrated into the heart of enterprise email security. According to new research from Cloudflare, threat actors are actively exploiting “link wrapping” services—offered by reputable vendors like Proofpoint and Intermedia—to cloak malicious content with the appearance of safety. Throughout June and July 2025, a series of observed phishing campaigns leveraged this technique, bypassing traditional scrutiny and targeting Microsoft 365 users with highly deceptive fake login pages. This weaponization of security infrastructure lays bare both the strengths and the latent risks of modern digital trust mechanisms, signaling an urgent need for a paradigm shift in defending against account takeovers.
Email remains the primary vector for targeted attacks and credential theft in enterprise environments. As organizations increased reliance on cloud services such as Microsoft 365, cybercriminals have continually adapted, seeking novel avenues to bypass user awareness and defensive technologies alike.
Source: WinBuzzer Microsoft 365: Attackers Weaponize Proofpoint and Intermedia Link Wrapping to Steal Logins - WinBuzzer
Background: The Evolution of Email Security and Link Wrapping
Email remains the primary vector for targeted attacks and credential theft in enterprise environments. As organizations increased reliance on cloud services such as Microsoft 365, cybercriminals have continually adapted, seeking novel avenues to bypass user awareness and defensive technologies alike.Understanding Link Wrapping
Link wrapping was developed in response to the rising sophistication of phishing campaigns. Security vendors like Proofpoint and Intermedia introduced this feature to automatically rewrite all URLs in inbound emails. These rewritten URLs point first to the security provider’s domain—for example,urldefense.proofpoint.com—where a real-time scan assesses the destination for threats before redirecting the user. For years, this mechanism bolstered protection by overlaying an additional line of defense between users and potential harm.Rising Threat: Trust as an Attack Vector
The Achilles’ heel of link wrapping lies in the near-universal trust that users and security tools place in these domains. Wrapped links don’t just strengthen controls against threats—they simultaneously train users to see a familiar security provider domain as a green light. This crucial trust is now being systematically turned against them.Anatomy of the Attack: How Proofpoint and Intermedia Defenses Are Subverted
The attack chain uncovered by Cloudflare’s security team demonstrates a deep understanding of both technical defenses and human psychology.Step 1: Compromising Trusted Accounts
Attackers begin by gaining unauthorized access to an email account already protected by Proofpoint or Intermedia. Methods often include prior credential stuffing, password spraying, or exploiting single-sign-on vulnerabilities. Once inside, the threat actors inherit the trust conferred upon internal senders—no spoofing required.Step 2: Laundering Malicious URLs
With access to an internal account, attackers craft new phishing emails containing links to credential-harvesting pages. However, before the email ever reaches its target—usually a coworker or another organization—it passes through the established link wrapping mechanism. The malicious URL is automatically rewritten to appear as a vetted, trusted Proofpoint or Intermedia link.Step 3: Multi-Tiered Redirect Obfuscation
Many campaigns amplify confusion and evade detection by introducing layers of obfuscation. Attackers frequently employ public URL shorteners—such as Bitly or TinyURL—before the link is even wrapped. The resulting redirect chain is formidable: a shortened URL, followed by a Proofpoint or Intermedia wrapper, then finally landing on the phishing payload.Case Studies: Proofpoint and Intermedia Wrapping Abused
Cloudflare’s analysis revealed methodical, patient campaigns exploiting both vendors’ link wrapping features.Proofpoint: Obfuscated Attacks
In Proofpoint-centric attacks, criminals favored multi-stage redirects. They might impersonate a trusted service—such as a voicemail system or shared Microsoft Teams document. The phishing lure typically presents as a “Listen to Voicemail” or “View Document” prompt. The imbedded link, shortened for extra camouflage, is subsequently wrapped by Proofpoint as it moves through the protected network. To the target, it appears as a clean, approved Proofpoint URL, yet clicking it launches a seamless path to a Microsoft 365 credential theft page.Intermedia: Leaner, Still Lethal
Attacks exploiting Intermedia’s infrastructure are often more direct, but no less effective. A prominent campaign posing as a secure message notification from “Zix” convinces users to click a “View Secure Document” button. This link, rewritten by Intermedia’s service, leads to a phishing page cunningly hosted on a legitimate Constant Contact domain—a further exploitation of platform trust. Other exploits leverage fake Teams messages or Word documents, directly channeling victims to credential harvesting portals.Exploiting Inherent Trust
The deadliest aspect of these attacks is their internal origin. Since they’re sent from compromised, organizational accounts, both automated scanners and human recipients are conditioned to be less suspicious. Cloudflare’s team documented how the “internal sender” factor dramatically increased the success rate and stealth of phishing campaigns, particularly within Intermedia-protected organizations.The Bigger Picture: Weaponizing Legitimate Technology
These attacks are not isolated incidents. They exemplify a wider shift, as attackers increasingly harness the credibility of established platforms and security layers to slip past even the savviest enterprises.The Proliferation of Platform Abuse
- AI-Powered Phishing: Security vendor Okta cited incidents where Vercel’s AI design tools enabled rapid, automated generation of highly convincing phishing websites. Such tools, while intended for benign purposes, make it trivial for attackers to create customized fake login pages in seconds.
- Pentesting Tools Reused: Campaigns like “UNK_SneakyStrike” exploited legitimate penetration testing frameworks—including TeamFiltration—to orchestrate broad-based credential theft, repurposing ethical hacking utilities for illicit gain.
- Cloud Service Exploitation: The EchoLeak vulnerability saw threat actors abuse Microsoft Copilot, turning a productivity tool into a potential data extract.
Lowering the Technical Bar for Attackers
A recurring theme is the commodification of cybercrime. Modern phishing kits, AI content generation tools, and cloud service loopholes have dramatically lowered the barriers to entry. As Microsoft has warned, AI advances are making it “easier and cheaper to generate believable content for cyberattacks at an increasingly rapid rate.” The upshot is more threat actors—less skilled, but increasingly armed with industry-grade tools.Why User Training Is No Longer Enough
Historically, enterprise anti-phishing strategy rested heavily on employee vigilance and continuous awareness training. Users were admonished to look for suspicious links, scrutinize unfamiliar domains, and report questionable emails.Defeating Human and Machine Defenses
Link wrapping attacks fundamentally break this paradigm:- Visual Deception: Malicious links now carry the visual signature of trusted security brands, nullifying user training that focuses on “hover and inspect” techniques.
- Bypassing Filters: Automated defenses—relying on domain-based blacklists and link heuristics—see only the harmless wrapper, failing to detect the final malicious destination.
- Insider Trust: When the attack arrives from a compromised, internal sender, layers of implicit trust blind both machines and humans.
The Cost of Ineffectiveness
The financial stakes continue to rise. In 2024, the FTC reported that a full quarter of fraud claims involved email as the method of contact, culminating in over $500 million in losses attributed directly to phishing scams. These numbers highlight the acute risks enterprises face as attackers adapt.Building Resilience: Toward Phishing-Resistant Authentication
To address this new threat landscape, experts increasingly advocate for phishing-resistant authentication. The logic is simple: if users cannot be reliably trained to distinguish dangerous from safe, the system itself must make such attacks technically impossible.Modern Authentication Technologies
- FIDO2/WebAuthn: These standards use public key cryptography to bind a user’s login to a legitimate domain. Authentication is hardware-backed—typically requiring a security key or biometric device—rendering credential theft futile. Stolen credentials can’t be replayed on a fake site.
- Conditional Access Policies: By tying authentication to device posture, geolocation, and granular risk signals, organizations can further lock down access and challenge suspicious behavior.
- Zero Trust Architectures: Networks must increasingly assume that any user or device—even those inside the perimeter—could be compromised. Strict, contextual checks replace implicit trust.
Integrating with Email Security Solutions
Email security vendors must evolve their approach. The days of “wrap and trust” are over; future-proof solutions should:- Perform deep, real-time link inspection even after wrapping, following redirect chains and analyzing end destinations.
- Integrate tightly with identity providers to flag suspicious login attempts originating from phishing-identified URLs.
- Build response automation that can isolate or revoke compromised accounts at the first sign of lateral movement or abnormal sending patterns.
Critical Analysis: Strengths and Weaknesses of Link Wrapping Defenses
What Works
- Deterrence Against Simple Phishing: Link wrapping remains effective against basic, “drive-by” malware campaigns and well-known malicious domains.
- Inline Protection: By scanning all user clicks in real-time, these solutions add a crucial layer of dynamic threat assessment, particularly valuable in fast-changing threat environments.
Where Risks Lurk
- Over-Reliance on Brand Trust: The most significant weakness is the generalized trust users and systems place in wrapped domains. This creates a single point of failure that can be devastating when exploited.
- Evasion via Internal Compromise: Once attackers gain access to internal accounts, even the best perimeter filtering fails. The attack then travels along trusted, internal pathways straight to its victims.
- Contradictory Outcomes: As security technology becomes more opaque—removing visual signals and abstracting threats away from end-users—it can produce the paradoxical effect of weakening, rather than strengthening, human vigilance.
The Road Ahead: Best Practices and Recommendations
The attacks leveraging Proofpoint and Intermedia link wrapping serve as a wakeup call. Defenders must abandon binary thinking about defense-in-depth and confront the inherently dynamic nature of risk.Immediate Steps for Organizations
- Audit Internal Account Security: Ensure multifactor authentication (MFA) is universally enforced—preferably using phishing-resistant methods like FIDO2 keys.
- Monitor for Compromised Senders: Strengthen detection of abnormal internal email activity, and implement rapid response mechanisms for automatic account lockdown.
- Demand Deeper Link Analysis: Engage with email security vendors to confirm that their solutions track the full redirect chain and flag suspicious patterns, not simply trust wrapped URLs.
- Educate with Context: Update security awareness programs to reflect that not all wrapped or internal links are benign; emphasize behavioral red flags and unusual requests.
- Progress Toward Zero Trust: Rethink network and application access. Assume compromise and continuously interrogate identity, device, and contextual trust signals.
Strategic, Long-Term Defenses
- Embrace Passwordless Models: Shift toward authentication flows that do not depend on shared secrets susceptible to phishing.
- Collaborate on Threat Intelligence: Share and consume data on link wrapping abuse and multi-stage phishing infrastructure, enabling rapid response across the ecosystem.
- Foster Vendor Accountability: Advocate for higher transparency into how link wrapping and similar features process and monitor inbound, internal, and redirected traffic.
Conclusion
The exploitation of Proofpoint and Intermedia link wrapping in phishing campaigns marks a pivotal innovation in the arms race between attackers and defenders. What was once a robust shield is now, in the wrong hands, a significant vulnerability—one that exposes the complex interplay between trust, technology, and human behavior. As threat actors continue to blend automation, social engineering, and technical subterfuge, organizations can no longer rely on static defenses or outdated user training paradigms. Only by embracing holistic, resilient approaches—anchored in phishing-resistant authentication and adaptive, transparent security infrastructure—can enterprises regain the upper hand and truly secure their modern digital environments.Source: WinBuzzer Microsoft 365: Attackers Weaponize Proofpoint and Intermedia Link Wrapping to Steal Logins - WinBuzzer
