Menace actors exploited Proofpoint and Intermedia link-wrapping providers in phishing campaigns throughout June and July, in response to a July 30, 2025, report by the Cloudflare E-mail Safety crew.
Hyperlink wrapping is a safety characteristic utilized by Proofpoint and different distributors to scan and rewrite URLs for security when customers click on them. Nevertheless, attackers manipulated these protections to redirect customers to credential-stealing Microsoft Workplace 365 pages.
Hyperlink wrapping attackers run malicious URLs by means of official providers
With the intention to perform the assault, menace actors want to realize management of accounts already utilizing hyperlink wrapping — on this case, hyperlink wrapping providers from Proofpoint. Cloudflare noticed that attackers used compromised accounts with lively hyperlink wrapping to “launder” or disguise phishing URLs. They typically used URL shorteners reminiscent of Bitly, making a direct chain that Cloudflare described as “URL shortener → Proofpoint wrap → phish touchdown web page.”
One such marketing campaign delivered hyperlinks in emails, disguising them as voicemail notifications. The ‘take heed to voicemail’ hyperlink held the wrapped URL. The Proofpoint wrapped hyperlink finally led to a Microsoft Workplace 365 phishing web page displaying falsified service well being alerts to trick customers into coming into credentials.
One other phishing marketing campaign used compromised Intermedia-protected accounts to distribute emails that contained equally disguised hyperlinks. These malicious hyperlinks wrapped in Intermedia safety functioned in an identical manner. On this case, the menace actor compromised an account inside an Intermedia-protected group and despatched hyperlinks from there. A few of these emails disguised themselves as safe message notifications from a service referred to as Zix, shared Phrase paperwork, or Microsoft Groups message notifications.
Proofpoint is conscious of the abuse of hyperlink redirects, the corporate mentioned in an e mail to TechRepublic.
“Proofpoint has noticed menace actors use this system and abuse a number of safety vendor URLs together with Sophos and Cisco,” Proofpoint menace researchers mentioned in a ready assertion.
As well as, Proofpoint clarified that its behavioral AI detection engine can discover and discard messages utilized in phishing campaigns.
“Every time menace actors select to make use of a re-written URL from any safety service, together with Proofpoint, it implies that as quickly because the safety service blocks the ultimate URL, your entire assault chain can be blocked for each recipient of the marketing campaign, whether or not the recipient was a buyer of the safety service or not,” the researchers mentioned.
Find out how to shield in opposition to hyperlink wrapping assaults
For safety personnel, Cloudflare E-mail Safety wrote two detections for this system:
- SentimentCM.HR.Self_Send.Link_Wrapper.URL.
- SentimentCM.Voicemail.Topic.URL_Wrapper.Attachment.
In addition they printed indicators of compromise (IOCs) and e mail detection fingerprints to help safety groups in proactively figuring out this system.
For organizations and staff, the report emphasised vigilance. Don’t click on on hyperlinks obtained from an unknown sender, and pay attention to the conventional tempo and patterns of communications reminiscent of Groups messages from coworkers. Deviations from these patterns and sources might embrace contaminated hyperlinks or websites designed to steal credentials, breach methods, or drain financial institution and crypto accounts.
In 2024, 11% of fraud experiences submitted to the US Federal Commerce Fee had been e mail scams leading to monetary loss.
This text was up to date with a press release from Proofpoint.
AI startup Perplexity denies that it allegedly used stealth crawlers to scrape web sites excluded from AI trawling.
