A hacker group has been exploiting trusted link-wrapping services from companies like Proofpoint and Intermedia to conceal phishing links targeting Microsoft 365 login details. These campaigns, active from June to July, manipulated security features designed to scan and block malicious URLs. By compromising protected email accounts, the attackers disguised harmful links as legitimate wrapped URLs, bypassing security checks.
Cloudflare researchers found that the hackers used multi-layered redirects, first shortening malicious links before wrapping them via compromised accounts. Victims were tricked with fake alerts for voicemails or shared Microsoft Teams files, ultimately landing on phishing pages stealing credentials. In some cases, the attackers impersonated secure message notifications from Zix or Microsoft Teams, redirecting users to fraudulent Constant Contact-hosted pages.
This tactic of weaponizing trusted security services to mask phishing links marks a new evolution in credential theft schemes. While abusing legitimate platforms isn’t new, exploiting link-wrapping features highlights an emerging threat in email-based attacks.
Read more...