top of page
OceanVertical

Phishing Campaign Exploits Link Wrappers to Steal Microsoft 365 Logins

  • cypac1
  • Aug 4, 2025
  • 2 min read

Updated: Aug 12, 2025

url phishing

Cybercriminals are finding new ways to turn trust into a weapon. By taking advantage of email security tools like Proofpoint and Intermedia, attackers are wrapping phishing links in layers of legitimacy. These manipulated links guide users to convincing fake Microsoft 365 login pages, making it harder than ever to tell what’s real and what’s a trap. What should protect us is now being used to deceive us. What went wrong

Between June and July 2025, attackers compromised email accounts protected by link-wrapping services. When these accounts sent emails, the URLs were automatically rewritten to domains like urldefense.proofpoint.com, making the links appear legitimate. Often, attackers first shortened the URL (e.g., via Bitly) and then let the wrapping service cloak it again, creating a multi-tier redirect chain that bypasses detection. The final landing pages mimicked Microsoft Office 365 login screens to harvest.

Why it matters

Users are more likely to click wrapped URLs, assuming they’ve been vetted. Reputation-based spam filters also fail to flag these links, since they point to trusted domains. As a result, phishing campaigns spoofing voicemail alerts or Teams notifications become far more effective, particularly when hiding under layers of redirection CSO Online. Cloudflare’s Email Security team highlighted this attack chain and provided detection indicators for defenders. Proofpoint confirmed they are aware of the abuse and use behavioral AI engines to flag such campaigns and block offending URLs, including final destinations in the redirect chains The Hacker News.

Security analysts are calling on organizations to go beyond domain reputation checks, training users to analyze link behavior, reduce reliance on URL wrappers, and inspect hover states or blame delegation when in doubt CSO Online.

Takeaway

Wrapped links aren’t inherently safe. Always inspect URLs, even if they appear to come from trusted security services. Disable automatic link wrapping where possible, train users to recognize phishing cues (like Teams or voicemail spoofing), and implement detection strategies that factor in redirect behavior not just domains. Stay safe out there

-Mars

Positivity Box


Cyber attackers are evolving but so are we. With smarter analytics, AI-driven link scanning, and increasingly savvy users, defenders aren’t just reacting, they’re predicting. By layering user education, sharpening filters, reducing blind trust in email wrappers, and staying tuned in to trusted cybersecurity sources, your team can turn the tide. Knowledge is power, and in cybersecurity, it’s also protection.

New Funnies!

How do you know a link is suspicious?

When it takes five redirects just to say hello.

Why did the login page feel fake?

Because it said “Welcome, totally not a scam.”


Why did the email security tool start therapy? 

It found out it was helping the enemy all along.

Wrapped links get invited to the phishing party!

all VIP.

bank details

fishing link

is this legit

wrapped comics

 
 
 

Comments

bottom of page