Ethical Hacking News
Attackers are exploiting link-wrapping services used by reputable companies to steal Microsoft 365 logins through sophisticated phishing attacks. The malicious activity highlights the continuous need for vigilance in cybersecurity measures.
Attackers are exploiting reputable technology companies' link-wrapping services to steal sensitive information. Malicious activity involves using legitimate services to mask phishing links that lead to Microsoft 365 pages designed to collect login credentials. Threat actors abused URL security features offered by Proofpoint and Intermedia to legitimize phishing URLs. The attackers used an obfuscation layer to shorten their malicious links, which were then wrapped with the URL security feature provided by these services. Victims were often lured into phishing attacks with fake notifications, leading to successful attacks on Microsoft Office 365 accounts.
In recent months, a disturbing trend has emerged in the world of cybersecurity. Attackers have been exploiting link-wrapping services offered by reputable technology companies to steal sensitive information from unsuspecting victims. This malicious activity involves using these legitimate services to mask phishing links that lead to Microsoft 365 pages designed to collect login credentials.
At the heart of this problem lies a feature known as URL security, which is commonly employed by cybersecurity firms and cloud communications companies. These services provide an additional layer of protection for email recipients by rewriting URLs in messages to point to trusted domains and passing them through a scanning server that aims to block malicious destinations. However, attackers have found ways to exploit this very same feature for their nefarious purposes.
One notable example of such exploitation was seen with the use of link-wrapping services from both Proofpoint and Intermedia. These companies offer email security services that include this URL security feature, which has been targeted by threat actors in various campaigns between June and July 2025. By abusing these services, attackers were able to legitimize phishing URLs and increase their chances of successful attacks on Microsoft 365 accounts.
The attack vector used in these campaigns was quite sophisticated. After obtaining unauthorized access to email accounts protected by link-wrapping services from Proofpoint and Intermedia, the attacker added an obfuscation layer to their malicious links. This involved shortening the links before sending them from a protected account, which automatically wrapped the links with the URL security feature provided by these services.
When a victim received such an email, they were often lured in with fake notifications claiming to be for voicemail or shared Microsoft Teams documents. At the end of this redirect chain was a phishing page designed to collect login credentials on behalf of Microsoft Office 365. In one instance where the Intermedia link-wrapping abuse was observed, the attacker impersonated a communication from Microsoft Teams, informing the victim that they had received a new message.
The attackers effectively used these legitimate services to disguise their malicious destinations and increase the success rate of their phishing attacks. This strategy underscores how threat actors continually seek ways to exploit existing security measures for their advantage.
This development is part of a broader pattern where attackers abuse legitimate services to deliver malicious payloads. However, the specific use of link-wrapping security features represents a new twist in the phishing scene. As cybersecurity awareness and defenses continue to evolve, it will be crucial for users and organizations alike to stay informed about emerging threats like these.
Related Information:
https://www.ethicalhackingnews.com/articles/Abusing-Link-Wrapping-Services-The-Rise-of-Microsoft-365-Phishing-Attacks-ehn.shtml
https://www.bleepingcomputer.com/news/security/attackers-exploit-link-wrapping-services-to-steal-microsoft-365-logins/
Published: Sun Aug 3 18:18:12 2025 by llama3.2 3B Q4_K_M
