A threat actor has been using link wrapping services from well-known tech companies to disguise malicious URLs that direct victims to Microsoft 365 phishing pages designed to steal login credentials.
Between June and July, the attacker took advantage of the URL security features provided by cybersecurity company Proofpoint and cloud communications provider Intermedia. These features are typically used by email security services to rewrite URLs in messages, redirecting them through trusted domains that scan for threats before allowing users to proceed.
Cloudflare’s Email Security team discovered that the attacker made the phishing URLs appear legitimate by compromising email accounts protected by Proofpoint and Intermedia. With access to these accounts, the attacker was able to distribute the disguised links more effectively.
According to Cloudflare, the threat actor used multiple techniques, including chaining redirects through URL shorteners, to further hide the malicious intent. This added layer of obfuscation made it harder for both users and security tools to detect the threat.
Victims were tricked with fake notifications about voicemail messages or shared Microsoft Teams documents. These deceptive emails led users through a series of redirects, ultimately landing on a fake Microsoft Office 365 login page designed to harvest credentials.
In campaigns involving Intermedia’s link wrapping, the emails appeared to be “Zix” secure message notifications or Microsoft Teams alerts. The links, initially wrapped by Intermedia’s service, eventually redirected to phishing pages hosted through digital marketing platform Constant Contact.
In one instance, clicking the “reply” button in a fake Teams message brought users to a counterfeit Microsoft login page intended to steal credentials.
By disguising harmful URLs behind reputable link protection services, the attacker increased the likelihood of bypassing security filters and deceiving victims. While using legitimate services to distribute malicious content is not a new tactic, the specific exploitation of link wrapping features represents a newer strategy in phishing campaigns.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
