Cybercriminals have found a clever way to mask phishing links using trusted security services. Their latest trick? Exploiting the very tools meant to protect users.
Trusted Services Turned Into Trojan Horses
A group of threat actors has been using legitimate link-wrapping features from major cybersecurity firms—namely Proofpoint and Intermedia—to deliver phishing emails aimed at stealing Microsoft 365 login credentials. The campaign, which ran from June through July, fooled even seasoned users by disguising malicious links as trusted, security-scanned URLs.
Link wrapping, in theory, helps protect users by scanning links and routing them through safe domains. But in this case, it became a vehicle for deception.
Instead of protecting, it redirected victims straight into the hands of attackers.
Cloudflare’s Email Security team flagged the unusual behavior after noticing email accounts protected by these services were being used to send out the wrapped phishing links. That was the first red flag: compromised accounts inside secure environments were spreading harmful payloads.
Multi-Tiered Redirects Make It Harder to Catch
The attackers didn’t just rely on a single method. They layered their approach, using URL shorteners, multiple redirects, and compromised accounts. The idea was simple: if you can confuse the trail, you can increase the chance someone clicks.
First, a malicious link was shortened using a common URL shortener. Then, it was sent from a compromised account protected by either Proofpoint or Intermedia. These services automatically wrapped the link, further masking it behind their own trusted domains.
With each added layer, the real destination got fuzzier.
Cloudflare’s team noted how Proofpoint’s wrapping was particularly exploited using “multi-tiered redirect abuse.” Victims would land on a seemingly safe link, only to be funneled through redirects until they arrived at a phishing page mimicking Microsoft 365.
This wasn’t just about masking—it was a digital shell game.
Deceptive Emails Disguised as Business Tools
The phishing emails were carefully crafted to look like everyday workplace notifications. No flashy red flags. Just typical business as usual: new voicemail alerts, Microsoft Teams messages, or secure file sharing links.
A single sentence here: Nothing out of the ordinary—until you clicked.
Cloudflare’s research points to two primary types of email bait:
-
Fake Teams notifications: Clicking “Reply” sent users to a Microsoft login lookalike page.
-
Voicemail or secure document alerts: Users were lured to a page hosted on Constant Contact, posing as a Microsoft 365 login portal.
In both cases, the emails were sent from seemingly secure accounts, with URLs masked by known protection services. To the untrained eye—and even to some trained ones—these looked safe.
That’s what made them so effective.
Phishing Infrastructure Hidden in Plain Sight
The infrastructure used for these phishing pages wasn’t dark web black markets or obscure foreign hosts. It was out in the open. Constant Contact, a well-known email and digital marketing service, unknowingly hosted some of the phishing content.
In one instance, a fake Microsoft Teams message carried a link wrapped by Intermedia. That link eventually led to a Constant Contact-hosted page that mimicked Microsoft’s login interface.
This technique—using reputable services to hide malicious activity—is becoming more common. What’s new is the method of laundering phishing links through link-wrapping filters meant to stop them.
Table: Breakdown of the Campaign Mechanics
Here’s a simplified look at how this attack chain played out across services:
| Step | Action | Service Abused |
|---|---|---|
| 1 | Link shortened via URL shortener | Bitly, TinyURL, etc. |
| 2 | Sent from compromised secure account | Proofpoint/Intermedia |
| 3 | Link automatically wrapped by security service | Proofpoint/Intermedia |
| 4 | Redirect to phishing site hosted on legit domain | Constant Contact |
| 5 | Fake login page collects Microsoft 365 creds | N/A |
Each step added a layer of legitimacy. By the time users reached the phishing page, many had already let their guard down.
Abusing Trust in Email Security
Security tools aren’t just technical. They’re psychological. People trust branded domains. When they see a link prefaced by Proofpoint or Intermedia, it reassures them.
That’s exactly what these attackers played on.
By compromising accounts protected by these services, the adversaries not only gained access to a platform but also to its inherent credibility. The wrapped URLs weren’t flagged by most scanners because they appeared to be already vetted.
What makes this even more concerning is that link wrapping is used across enterprise environments, not just by a few niche players. And once one compromised account starts sending these emails, the ripple effect is fast and hard to track.
An Escalation in Phishing Sophistication
Phishing tactics evolve constantly. But this campaign marks a distinct shift: attackers aren’t just fooling users—they’re fooling the systems designed to protect them.
Unlike brute-force tactics or spammy fake emails, this method was calculated and deliberate. It relied on user psychology, trusted security infrastructure, and subtlety.
-
Cloudflare’s team says this represents a “recent development” in phishing strategy.
-
It’s a reminder that no security measure is failproof.
-
And when the tools meant to stop attacks are turned against us, the lines blur fast.
