Hackers are using link wrapping to steal your Microsoft 365 login
Cloudflare‘s email security team recently uncovered a new phishing technique. Attackers are using compromised email accounts to disguise malicious links via legitimate link wrapping services. Services like those from Proofpoint or Intermedia rewrite incoming links to trustworthy domains and scan them automatically, a protection mechanism that, in this case, becomes a gateway.
Table of Contents
The links look deceptively genuine
The attackers shorten their links using URL shorteners and send them via hacked accounts. The security solutions provide the links with a “secure” domain, which makes them appear legitimate. But behind the URLs lurk phishing pages that deceptively mimic Microsoft 365 login pages. Subject lines such as “New voicemail,” “Secure document for retrieval,” or “New message in Microsoft Teams” are designed to lure unsuspecting users. Some emails even pose as encrypted “Zix” messages, a well-known system for secure communication.
Clicking on seemingly harmless buttons like “Reply” leads directly to fake login pages designed to steal credentials. According to Cloudflare, attackers use the trustworthiness of the rewritten links to bypass security filters. Such methods are not new. Services like Google Drive have already been similarly abused, but the targeted exploitation of link wrapping is a new chapter in the phishing playbook.
Cloudflare writes about this in its report:
Link wrapping is used by providers such as Proofpoint to protect users. This involves routing all clicked URLs through a scanning service so that known malicious targets can be blocked at the time of the click. […] This defense method is quite effective against known threats. However, attacks can still be successful if the wrapped link has not yet been flagged as dangerous by the scanner at the time of click.
Companies need to rethink security
This is a wake-up call for users and organizations: automatic detection of malicious links isn’t enough anymore. IT admins should update firewalls and email filters, step up employee training, and require multi-factor authentication for Microsoft 365 accounts. These attacks highlight how easily cybercriminals can turn protective tools into vulnerabilities.
This article originally appeared on our sister publication PC-WELT and was translated and localized from German.
