Cybercriminals have adapted a new twist on credential theft by exploiting legitimate link-wrapping features in enterprise email security and communication platforms to deliver convincing Microsoft 365 phishing pages. The campaign, active from June through July, leveraged compromised accounts protected by trusted services to “launder” malicious URLs and evade detection.
Phishing URLs legitimized through abused link rewriting services
Email security tools often rewrite (wrap) URLs in inbound messages so clicks are routed through a trusted intermediary for scanning. In this case, the threat actor gained unauthorized access to accounts guarded by Proofpoint and Intermedia and used their link-wrapping mechanisms to mask the final destination. The attacker further concealed intent by shortening malicious URLs before sending them; the wrapped addresses then appeared to originate from legitimate, protected domains.
Cloudflare’s Email Security team, which analyzed the campaign, said the abuse was multi-layered.
“Attackers abused Proofpoint link wrapping in a variety of ways, including multi-tiered redirect abuse with URL shorteners via compromised accounts,” the researchers explained.
“The Intermedia link wrapping abuse we observed also focused on gaining unauthorized access to email accounts protected by link wrapping.”
Social engineering lures led victims to credential-harvesting pages
The malicious messages used plausible business lures. In the campaign targeting Intermedia users, emails impersonated secure message notifications—claiming to be from services like “Zix”—or mimicked Microsoft Teams alerts about newly received content. Recipients were directed via the wrapped link to intermediary pages (including spoofed marketing or document platforms), and ultimately to a fake Microsoft Office 365 login page designed to collect their credentials when they clicked “reply” or tried to access the alleged content.
By embedding the phishing flow behind the veneer of trusted link-wrapping domains, the attackers increased their success rate and reduced immediate suspicion from both recipients and automated filters.
Emerging trend: legitimate infrastructure repurposed for stealthy credential theft
Abusing reputable services to carry malicious traffic is not novel, but weaponizing link-wrapping security features in this way is a relatively recent escalation. The technique turns protective mechanisms—meant to safeguard users—into camouflage that shields phishing endpoints until after the user has engaged.
The campaign underscores a broader risk for enterprises relying on layered email security: compromise of the very accounts those layers are designed to defend can invert the trust model, making wrapped URLs appear safe even as they shepherd victims into credential-stealing traps.
