<div id="post_message_807254">

A threat actor has been abusing link wrapping services from reputed technology companies to mask malicious links leading to Microsoft 365 phishing pages that collect login credentials.<br/>
<br/>
The attacker exploited the URL security feature from cybersecurity company Proofpoint and cloud communications firm Intermedia in campaigns from June through July.<br/>
<br/>
Some email security services include a link wrapping feature that rewrites the URLs in the message to a trusted domain and passes them through a scanning server designed to block malicious destinations.<br/>
<br/>
<b><font size="4"><font color="White">Legitimizing phishing URLs</font></font></b><br/>
<br/>
Cloudflare’s Email Security team discovered that the adversary legitimized the malicious URLs after compromising Proofpoint and Intermedia-protected email accounts, and likely used their unauthorized access to distribute the “laundered” links.<br/>
<br/>
“Attackers abused Proofpoint link wrapping in a variety of ways, including multi-tiered redirect abuse with URL shorteners via compromised accounts,” the researchers said.<br/>
<br/>
"The Intermedia link wrapping abuse we observed also focused on gaining unauthorized access to email accounts protected by link wrapping“ - <a href="https://www.cloudflare.com/threat-intelligence/research/report/attackers-abusing-proofpoint-intermedia-link-wrapping-to-deliver-phishing-payloads/" target="_blank">Cloudflare Email Security</a><br/>
<br/>
The threat actor added an obfuscation layer by first shortening the malicious link before sending it from a protected account, which automatically wrapped the link.<br/>
<br/>
The researchers say that the attacker lured victims with fake notifications for voicemail or shared Microsoft Teams documents. At the end of the redirect chain was a Microsoft Office 365 phishing page that collected credentials.<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1100723/M365_phish_CloudflareEmailsec.webp"/><br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

Microsoft 365 phishing delivered by exploiting link-wrapping feature<br/>
source: Cloudflare Email Security

</td>
</tr>
</table>
</div>In the campaign that abused Intermedia’s service, the threat actor delivered emails pretending to be a “Zix” secure message notification for a viewing a secure document, or impersonated a communication from Microsoft Teams informing of a newly received message.<br/>
<br/>
The link allegedly leading to the document was a URL wrapped by Intermedia’s service and redirected to a fake page from digital and email marketing platform Constant Contact hosting the phishing page.<br/>
<br/>
Clicking on the reply button in the fake Teams notification led to a Microsoft phishing page that would collect login credentials.<br/>
<br/>
By disguising the malicious destinations with legitimate email protection URLs, the threat actor increased the chances of a successful attack, the Cloudflare researchers said.<br/>
<br/>
It should be noted that abusing legitimate services to deliver malicious payloads is not new but exploiting the link-wrapping security feature is a recent development on the phishing scene.<br/>
<br/>
<a href="https://www.bleepingcomputer.com/news/security/attackers-exploit-link-wrapping-services-to-steal-microsoft-365-logins" target="_blank">@ BleepingComputer</a>
</div>