Threat Actors Abuse Proofpoint’s and Intermedia’s Link Wrapping Features to Hide Phishing Payloads

The latest wave of credential-phishing campaigns has revealed an unexpectedly convenient ally for threat actors: the very e-mail security suites meant to protect users.

First observed in late July 2025, multiple phishing clusters began embedding malicious URLs inside the legitimate link-wrapping services of Proofpoint’s Protect platform (https://urldefense.proofpoint.com/v2/url?u=) and Intermedia’s LinkSafe (https://safe.intermedia.net/?u=).

Because corporate filters already trust these domains, the wrapped links traverse mail gateways uninspected, landing directly in users’ inboxes.

The attack chain is deceptively simple. Victims receive invoices, DocuSign requests, or shipping notices whose call-to-action buttons point to a wrapped URL.

When clicked, Proofpoint or Intermedia first decodes and then silently forwards the browser to an attacker-controlled site that imitates Microsoft 365 or Okta single-sign-on pages.

Cloudflare researchers noted that the intermediate “trusted” hop neuters most sandbox detonations because the final destination is resolved only inside the user’s session, effectively short-circuiting heuristic URL reputation checks.

Campaign telemetry collected by open redirect sensors shows more than 180,000 messages since August 1 targeting financial services, legal firms, and higher education.

In several incidents, compromised mailboxes were weaponized within minutes to propagate the lure further, amplifying internal spread while masquerading as legitimate reply-threads.

The abuse underscores the paradox in which security controls—when insufficiently scoped—become high-fidelity cloaks for adversaries.

Detection Evasion via Opportunistic URL Rewriting

Unlike traditional phishing that relies on freshly registered typo-domains, these campaigns exploit conditional URL resolution.

Proofpoint’s wrapper stores the target in a base64-encoded u= parameter, while an HMAC signature in k= assures integrity.

Security products typically verify only the HMAC before classifying the link as safe; they do not dereference the payload during scanning because doing so would destroy the wrapper’s anti-tampering seal.

Attackers simply generate a valid link by letting Proofpoint create the wrapper on a benign site, then editing the base64 payload without updating the signature—Proofpoint still loads the URL but cannot guarantee authenticity, causing a silent forward.

The following Python fragment replicates the tampering step and highlights why static scanners miss it:-

import base64, urllib.parse, re  

wrapped = ("https://urldefense.proofpoint.com/v2/url?"
           "u=aHR0cHM6Ly93d3cuZXhhbXBsZS5jb20vP3Byb2Quaj0x&k=abcd1234")  

payload = re.search(r"u=([^&]+)", wrapped).group(1)  
decoded = base64.urlsafe_b64decode(payload + "==").decode()  
print('Original target:', decoded)  

new_target = "https://malicious-domain.net/login.php"  
new_payload = base64.urlsafe_b64encode(new_target.encode()).decode().rstrip("=")  
tampered = re.sub(r"u=[^&]+", f"u={urllib.parse.quote(new_payload)}", wrapped)  

print('Tampered wrapper:', tampered)

Because the k= signature is never re-computed, Proofpoint flags the link as “modified” but still performs the forward—a usability concession attackers now exploit.

Intermedia’s LinkSafe shows an analogous weakness, lacking any integrity token at all.

Until Proofpoint and Intermedia revise their validation logic to block or at least visibly warn on signature mismatches, defenders must rely on full URL detonation and on-endpoint heuristics.

Network teams are advised to strip or rewrite wrapped links at the secure-gateway layer, while SOCs should hunt for base64 strings inside u= parameters that decode to external domains.

At its core, the episode is a cautionary tale: security layers that succeed in isolation can, when chained together without holistic threat modeling, open a friction-free highway straight to the attacker’s payload.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches