Attackers exploit link-wrapping services to steal Microsoft 365 logins

A threat actor has been abusing link wrapping services from reputed technology companies to mask malicious links leading to Microsoft 365 phishing pages that collect login credentials.

The attacker exploited the URL security feature from cybersecurity company Proofpoint and cloud communications firm Intermedia in campaigns from June through July.

Some email security services include a link wrapping feature that rewrites the URLs in the message to a trusted domain and passes them through a scanning server designed to block malicious destinations.

Legitimizing phishing URLs

Cloudflare’s Email Security team discovered that the adversary legitimized the malicious URLs after compromising Proofpoint and Intermedia-protected email accounts, and likely used their unauthorized access to distribute the “laundered” links.

“Attackers abused Proofpoint link wrapping in a variety of ways, including multi-tiered redirect abuse with URL shorteners via compromised accounts,” the researchers said.

“The Intermedia link wrapping abuse we observed also focused on gaining unauthorized access to email accounts protected by link wrapping“ – Cloudflare Email Security

The threat actor added an obfuscation layer by first shortening the malicious link before sending it from a protected account, which automatically wrapped the link.

The researchers say that the attacker lured victims with fake notifications for voicemail or shared Microsoft Teams documents. At the end of the redirect chain was a Microsoft Office 365 phishing page that collected credentials.

In the campaign that abused Intermedia’s service, the threat actor delivered emails pretending to be a “Zix” secure message notification for a viewing a secure document, or impersonated a communication from Microsoft Teams informing of a newly received message.

The link allegedly leading to the document was a URL wrapped by Intermedia’s service and redirected to a fake page from digital and email marketing platform Constant Contact hosting the phishing page.

Clicking on the reply button in the fake Teams notification led to a Microsoft phishing page that would collect login credentials.

By disguising the malicious destinations with legitimate email protection URLs, the threat actor increased the chances of a successful attack, the Cloudflare researchers said.

It should be noted that abusing legitimate services to deliver malicious payloads is not new but exploiting the link-wrapping security feature is a recent development on the phishing scene.