Hackers are stealing Microsoft 365 accounts by abusing link-wrapping services

News
By published

Proofpoint and Intermedia are being abused in phishing campaigns

Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
(Image credit: Shutterstock)
  • Crooks are using link wrapping services to entice victims into clicking
  • The links redirect the victims to a fake Microsoft 365 landing page
  • The campaign has been going on for at least two months

Cybercriminals are abusing Proofpoint’s and Intermedia’s “link wrapping” service to bypass email protections, create convincing phishing emails, and ultimately - steal people’s Microsoft 365 credentials. This is according to cybersecurity researchers from Cloudflare, who have been observing such campaigns in the wild for at least two months.

Proofpoint’s link‑wrapping service, known as URL Defense, protects users by rewriting every inbound email link to route through Proofpoint’s inspection gateway before it reaches the actual recipient. When a person clicks a link in an email, it is evaluated in real-time (including sandbox detonation and reputation checks) and is only granted access if the link is deemed safe.

But here’s the catch: all original URLs are embedded within the encoded rewritten link (usually prefixed with “urldefense.proofpoint.com) which, as a side-effect, creates a sense of security with the recipients, making it more likely they will actually click it.

Active campaign

Cybercriminals were seen creating brand new landing pages that mimic the Microsoft 365 login screen, and as such, are not yet flagged by security products. They would then shorten the URLs to those pages using popular URL shorteners such as Bitly. The next step is to break into email accounts already protected by Proofpoint, and use them to wrap the shortened URL.

The final step is to distribute the shortened and wrapped URL, often through the very same email accounts that were compromised earlier.

Cloudflare says it’s seen multiple attacks already, with crooks sending fake voice mail notification emails, and fake shared Microsoft Teams documents. Victims who don’t spot the attack go through a chain of redirects, landing at a page where they’re asked for their Microsoft 365 login credentials.

As a rule of thumb, links in emails should be carefully reviewed before being clicked, especially if the emails carry any sense of urgency with them.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.