As per cybersecurity researchers from Cloudflare, threat actors are abusing the “link wrapping” feature offered by Proofpoint and Intermedia to bypass email security, craft convincing phishing emails, and eventually steal users’ Microsoft 365 login credentials. Cloudflare’s observation comes after witnessing at least two months of such malicious campaigns in action.
URL Defence, a link-wrapping service from Proofpoint, protects users by rewriting all incoming email links to pass through Proofpoint’s inspection gateway before they are seen by the recipient. A link in an email is assessed in real time when a user clicks on it, including reputation checks and sandbox detonation, and access is only provided if it is deemed secure.
The catch is that the encoded rewritten link (typically prefixed with “urldefense.proofpoint.com”) contains all of the original URLs. This gives recipients a sense of security and increases the likelihood that they will click on the link.
“Cybercriminals were seen creating brand-new landing pages that mimic the Microsoft 365 login screen, and as such, are not yet flagged by security products. They would then shorten the URLs to those pages using popular URL shorteners such as Bitly. The next step is to break into email accounts already protected by Proofpoint and use them to wrap the shortened URL,” Cloudflare researchers said, as reported by Techradar.pro.
In order to wrap the shortened URL, the next step is to hack into email accounts that Proofpoint has already secured. The last stage involves sharing the truncated and encapsulated URL, frequently using the same compromised email addresses.
Using fake voicemail notification emails and fake shared Microsoft Teams documents, Cloudflare claims to have already witnessed numerous attacks. After a series of redirects, victims who are unaware of the attack are prompted for their Microsoft 365 login information. Email links should generally be carefully examined before being clicked, particularly if the email conveys a sense of urgency.
Meanwhile, a phishing campaign is ongoing that uses a feature in Microsoft 365 called Direct Send to avoid detection by email security and steal credentials, according to the Varonis Managed Data Detection and Response (MDDR) team.