https://www.cloudflare.com/threat-intelligence/research/report/attackers-abusing-proofpoint-intermedia-link-wrapping-to-deliver-phishing-payloads

Threat actors have discovered a new method to legitimise phishing attacks by exploiting link-wrapping security features from reputable technology companies, using services from cybersecurity firm Proofpoint and cloud communications company Intermedia to mask malicious URLs leading to Microsoft 365 credential harvesting pages. Cloudflare’s Email Security team uncovered the campaign, which ran from June through July 2025, demonstrating how attackers can turn security tools designed to protect users into weapons that enhance the credibility of their malicious operations.

The sophisticated attack method involves compromising email accounts already protected by Proofpoint and Intermedia’s link-wrapping services, then leveraging unauthorised access to distribute what researchers call “laundered” links that appear to originate from trusted domains. The attackers employed multi-layered obfuscation techniques, first shortening malicious URLs before sending them from compromised accounts, which automatically triggered the link-wrapping protection and added an additional layer of apparent legitimacy. The threat actors lured victims with fake notifications for voicemail messages or shared Microsoft Teams documents, ultimately redirecting users through a chain of legitimate-looking URLs to Microsoft Office 365 phishing pages designed to steal login credentials.

The campaign targeting Intermedia’s service involved emails impersonating “Zix” secure message notifications and fake Microsoft Teams communications, with malicious links wrapped by Intermedia’s service that redirected to fraudulent pages hosted on Constant Contact’s digital marketing platform. This novel approach of exploiting link-wrapping security features represents a significant evolution in phishing tactics, as it allows attackers to bypass traditional email security measures by disguising malicious destinations with legitimate email protection URLs. While abusing legitimate services for malicious purposes is not new, the specific exploitation of link-wrapping security features marks a concerning development that highlights how cybercriminals continue to adapt and weaponise the very tools designed to protect organisations from cyber threats.