Threat Actors Exploit Proofpoint and Intermedia Link Wrapping to Conceal Phishing Payloads
Cybercriminals are increasingly exploiting link wrapping features from vendors like Proofpoint and Intermedia to mask malicious payloads, leveraging the inherent trust users place in these security tools.
Link wrapping, intended as a protective measure, reroutes URLs through vendor scanning services such as Proofpoint’s urldefense.proofpoint.com or Intermedia’s url.emailprotection.link to inspect and block threats at click time.
Abuse of Trusted Security Mechanisms
However, attackers compromise protected email accounts to “launder” phishing links, embedding them in seemingly legitimate wrapped URLs that evade reputation-based filters and exploit detection delays.
This method heightens phishing efficacy by presenting trusted domains, significantly boosting click-through rates and enabling redirects to credential-harvesting pages mimicking Microsoft Office 365 or Teams interfaces.
The Cloudflare Email Security team has tracked these clusters, noting how attackers integrate multi-tiered redirects with URL shorteners like Bitly to add obfuscation layers, creating chains from shortened links to wrapped URLs and ultimately to phishing landing pages.
Observed campaigns demonstrate varied abuse patterns. For Proofpoint, threat actors gain unauthorized access to protected accounts, using them to distribute wrapped links disguised as voicemail notifications or shared Teams documents.
An example involves a shortened URL leading to a Proofpoint-wrapped link that redirects through gojo.lci-nd.com to a Microsoft phishing site, capturing credentials via deceptive login forms.
Campaign Tactics
Similarly, Intermedia exploits stem from compromised organizational accounts, where outbound emails automatically wrap malicious links, such as those posing as Zix secure messages or shared Word documents, redirecting via Constant Contact to credential-theft pages.
These techniques impersonate trusted services, increasing attack success by cloaking payloads in legitimate wrappers.
According to the report, The impacts are profound: heightened risks of direct financial losses, with email-based fraud contributing to $502 million in aggregate damages in 2024 per FTC data.
Identity theft surges, with over 1.1 million reports leading to prolonged resolution times averaging 22 months for tax-related cases; and broader breach facilitation, as phishing initiates 67% of incidents according to Comcast research, fueling a 300% spike in credential theft noted by Picus Security.
Mitigation requires advanced detections beyond traditional filtering, such as Cloudflare’s machine learning-based rules like SentimentCM.HR.Self_Send.Link_Wrapper.URL and SentimentCM.Voicemail.Subject.URL_Wrapper.Attachment, which analyze historical patterns and signals in wrapped-link messages to preempt threats.
Indicators of Compromise (IOCs)
| Type | IOC |
|---|---|
| Malicious URL | https://ddms03smf0d0dqeqmm.z21.web.core.windows.net/ |
| Malicious URL | https://urldefense.proofpoint.com/v2/url?u=https-3A__gojo.lci-2Dnd.com&d=DwMCaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=JHPdH2eYhJj8kJPCsaFJ0cex9tnFD_mA1GRT4WGPaXU&m=VDhwcBPv_4CWrpDAMhOZnvNj_FdlDtKpjGcNjISeucxESVMtrKcUjyfH2NRqJvx8&s=lfIM56zMSpKOutaPg5Ug022VvzspPbfXMkC0SkowSn4&e= |
| Malicious URL | https://Gojo.lci-nd.com |
| Malicious URL | https://7sovxyhbb.cc.rs6.net/error.jsp?e=7sovxyhbb |
| Malicious URL | https://ddms03smf0d0dqeqmm.z21.web.core.windows.net |
| Malicious URL | https://url.emailprotection.link/?bWAGY3CVTOdXyKVyobe9gnItJOEJbm1tY2HTkP9NpEnkIf26F00zxMsb9S6ZkoTubTBb8VAKEW8Xzl3H78zXbLUsx6G1-SLbGVekrCZe8ixy5rk7O3KF7s-l7K_qIAAgHPcF6tTEW65MVGDvSqMhxQKLuSkOMktCIaifpyyFNqrfq2SJQ2xYDeXI0zGUBPdYV8EpnEqSz3jxvefaMUh2FPZ54bxAa1H79K2-v_JH5ebOzqRN6OXD06HjrjOZCg59G |
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
