In the shadowy world of cybersecurity, a new tactic has emerged that turns trusted email security tools against their users. Cybercriminals are exploiting link-wrapping features from companies like Proofpoint and Intermedia to disguise phishing attacks aimed at stealing Microsoft 365 credentials. This method leverages legitimate URL rewriting services—designed to protect against malicious links—to bypass email filters and lure victims into fake login pages.

The attacks, which have intensified over the past few months, involve embedding harmful URLs within the protective wrappers provided by these services. Once clicked, the wrapped links redirect users through multiple layers, ultimately landing on phishing sites that mimic Microsoft’s authentication portals. Security researchers have noted that this abuse allows attackers to evade detection, as the initial links appear benign and originate from reputable domains.

How Link Wrapping Becomes a Weapon

Proofpoint’s URL protection, intended to scan and sanitize links in emails, is being manipulated by threat actors who craft emails that trigger the wrapping process. According to a report from Cloudflare, attackers send phishing emails through open relays or compromised accounts, ensuring the links get wrapped by Proofpoint’s system before reaching inboxes. This creates a false sense of security, as recipients see a trusted Proofpoint domain in the URL.

Similarly, Intermedia’s link-wrapping service, used in cloud communications, is being co-opted for the same purpose. The multi-layer redirection tactic complicates tracing, with links bouncing through several legitimate hops before revealing the malicious payload. As detailed in an analysis by The Hacker News, this has led to successful credential theft in high-value targets, including executives at major corporations.

The Scale and Sophistication of the Campaigns

These phishing operations are not isolated incidents but part of broader campaigns that have targeted organizations worldwide. One notable wave, observed from June through July 2025, involved thousands of emails mimicking urgent Microsoft 365 notifications, such as password resets or shared document alerts. PCWorld reported that cybercriminals exploit the trust users place in wrapped links, often clicking without hesitation because they assume the email has been vetted.

The sophistication lies in the attackers’ ability to automate the process. By using open-source tools or custom scripts, they generate wrapped links en masse, tailoring them to specific victims based on reconnaissance from data breaches. This personalization increases click-through rates, with some campaigns achieving success rates as high as 20%, far above average phishing attempts.

Industry Responses and Mitigation Strategies

In response, Proofpoint has acknowledged the abuse and is enhancing its detection algorithms to flag anomalous wrapping patterns. A statement from the company, covered by All About Security, emphasizes that while the feature is being misused, it’s not a vulnerability but an exploitation of design. Intermedia has similarly issued updates to tighten controls on link redirection.

For industry insiders, the key takeaway is bolstering user education and implementing advanced email gateways that inspect wrapped links more deeply. Experts recommend multi-factor authentication beyond SMS, such as hardware keys, to render stolen credentials useless. As TechRadar highlights, organizations should audit their email security configurations and consider disabling automatic wrapping for high-risk communications.

Broader Implications for Cybersecurity Trust

This trend underscores a growing challenge: the weaponization of security tools themselves. What was once a shield is now a sword in the hands of adversaries, eroding trust in established vendors. Analysts predict that without swift adaptations, similar abuses could spread to other services like Mimecast or Symantec, amplifying the risk to enterprise environments.

Ultimately, this phishing evolution demands a reevaluation of how we design and deploy protective technologies. As threats adapt, so must defenses, ensuring that innovations don’t inadvertently create new vectors for attack. With incidents reported across sectors, from finance to healthcare, the stakes are high for proactive measures to safeguard digital identities.