Cybersecurity researchers have unveiled a sophisticated phishing campaign utilizing legitimate link wrapping services from companies such as Proofpoint and Intermedia to effectively bypass established security measures. This alarming tactic not only masks the malicious payloads but also increases the likelihood of successful attacks, according to insights from the Cloudflare Email Security team, as detailed in their report on Cloudflare.
For the past two months, threat actors have demonstrated their ability to exploit connections in email systems, wherein they gain unauthorized access to accounts employing these protective measures. This manipulation allows attackers to send emails containing malicious URLs, which are then automatically converted into wrapped links, effectively hiding the true destination from the user.
Compounding the issue, the researchers noted a two-tiered approach to malicious linking, wherein attackers first obscure their URLs with services like Bitly, followed by further protection through Proofpoint’s wrapping, creating a series of redirects. Such strategies have led to phishing scams impersonating legitimate notifications from platforms like Microsoft Teams, even utilizing voicemail alerts to entice users to click on deceptive links.
In response, Proofpoint has acknowledged the abuse of its URL rewriting capabilities and stated that they actively monitor such activities through their AI detection systems. The firm has reiterated their commitment to blocking these threats and stated that they are observing similar techniques used across various security service providers that also offer URL protection, a critical element in combating phishing threats.