Cybercriminals are finding new ways to bypass traditional defenses—this time by turning trusted security tools into phishing weapons. Recent reports from Cloudflare’s Email Security team have shed light on an alarming new phishing strategy where attackers abused link-wrapping services from reputable tech companies, including Proofpoint and Intermedia, to trick users into giving up their Microsoft 365 login credentials.
How Link-Wrapping Was Hijacked for Phishing
Link-wrapping is a security feature commonly used by email security providers. It replaces a hyperlink in an email with a trusted domain that first scans the destination before forwarding the user. This is intended to prevent users from reaching harmful websites. However, in June and July, attackers cleverly exploited this feature to do exactly the opposite.
Here’s what happened: the attackers gained unauthorized access to email accounts protected by Proofpoint and Intermedia. From there, they sent phishing emails containing malicious links, which were first shortened and then automatically wrapped in the security layers of these trusted platforms. This clever misuse made the phishing links appear legitimate and secure, effectively bypassing the scrutiny of both users and some automated filters.
What Victims Saw: Voicemails and Teams Messages
To lure victims, the attackers used social engineering tactics like fake voicemail alerts, shared Microsoft Teams documents, and Zix secure message notifications. In each case, the email appeared professional and believable, but clicking on any of the links led users to spoofed Microsoft 365 login pages.
In the case of Intermedia abuse, the emails pretended to be official messages, but the URLs redirected users to phishing pages hosted on Constant Contact, a legitimate digital marketing platform. In other cases, clicking on a reply link would silently redirect the user through multiple layers before landing on a credential-harvesting Microsoft login clone.
Why This Matters
What makes this technique so dangerous is that trusted services were leveraged against users, turning protective mechanisms into weapons. It underscores the increasing sophistication of modern phishing attacks and the importance of verifying the true destination of links—even if they appear to come from a reputable source.
Conclusion
This latest wave of phishing attacks highlights a critical vulnerability in today’s digital security ecosystem. As attackers continue to innovate, security professionals must adapt quickly—ensuring link-wrapping services are monitored, access controls are tightened, and users are trained to recognize even the most subtle red flags. The misuse of trusted platforms reminds us that security features can be double-edged swords if not carefully managed and constantly reviewed.
