In the ever-evolving world of cyber threats, attackers are constantly finding new and sophisticated ways to bypass our defenses. The latest revelation from cybersecurity researchers exposes a particularly cunning phishing campaign that cleverly abuses legitimate link wrapping services from Proofpoint and Intermedia to steal Microsoft 365 login credentials.
The Illusion of Security: Link Wrapping Turned Against You
Link wrapping, as offered by vendors like Proofpoint, is designed to be a protective measure. It works by routing all clicked URLs through a scanning service, aiming to block known malicious destinations at the moment of click. While effective against identified threats, this system can be exploited if the wrapped link hasn't yet been flagged as malicious by the scanner.
The Double Deception: Multi-Tiered Redirect Abuse
Cloudflare Email Security has shed light on a particularly insidious aspect: "multi-tiered redirect abuse." This involves attackers first cloaking their malicious links using a URL shortening service like Bitly. Then, they send this shortened link in an email via a Proofpoint-secured account, causing it to be obscured a second time by the link wrapping service.
Imagine the journey of that link:
Bitly Shortening: The original malicious link is shortened by Bitly.
Proofpoint Wrapping: The Bitly link is then wrapped by Proofpoint's URL Defense.
This creates a deceptive redirection chain, where the URL passes through two layers of obfuscation before finally leading the unsuspecting victim to a Microsoft 365 phishing page.
Common Lures: Voicemails, Teams Notifications, and More
The phishing messages observed in these attacks are designed to be highly convincing:
Voicemail Notifications: Emails masquerading as voicemail notifications, urging recipients to click a link to listen to messages.
Microsoft Teams Document Shares: Emails notifying users of a supposed document received on Microsoft Teams, tricking them into clicking booby-trapped hyperlinks.
The alarming aspect of this new tactic is that it leverages legitimate features and trusted tools to perform malicious actions. Threat actors are gaining unauthorized access to email accounts within organizations that already use link wrapping. This means that any malicious URL sent from such a compromised account is automatically rewritten with the vendor's wrapped link (e.g., urldefense.proofpoint[.]com/v2/url?u=
Unread Teams Messages: Impersonating Teams, these emails claim unread messages and prompt users to click a "Reply in Teams" button.
In all these scenarios, the ultimate goal is the same: redirecting victims to a bogus Microsoft 365 login page to capture their credentials.
Beyond Link Wrapping: The Evolving Threat Landscape
This sophisticated abuse of link wrapping isn't an isolated incident. The cybersecurity landscape is witnessing a surge in other innovative phishing techniques:
SVG File Weaponization: Attackers are weaponizing Scalable Vector Graphics (SVG) files to bypass traditional anti-spam and anti-phishing protections. Unlike JPEG or PNG, SVG files are XML-based and can contain JavaScript and HTML code, allowing for the embedding of malicious code within seemingly harmless files.
Fake Zoom Meeting Traps: Phishing campaigns are also embedding fake Zoom videoconferencing links. Clicking these links triggers a redirection chain to a fake meeting interface, followed by a "meeting connection timed out" message. Victims are then prompted to enter their credentials to "rejoin," inadvertently exfiltrating their login details along with their IP address, country, and region to the threat actor via Telegram.
Stay Vigilant, Stay Secure
The continued ingenuity of threat actors underscores the critical need for constant vigilance. While security solutions are vital, user awareness remains a powerful defense.
What you can do:
Be Skeptical: Always scrutinize emails, even if they appear to come from trusted sources or internal departments.
Hover Before You Click: Before clicking any link, hover your mouse over it to reveal the true destination. Be wary of unexpected redirects.
Verify Independently: If an email asks you to log in to a service, open your browser and navigate directly to the official website instead of clicking a link in the email.
Report Suspicious Activity: If something feels off, report it to your IT security team immediately.
Enable Multi-Factor Authentication (MFA): MFA adds an extra layer of security, making it significantly harder for attackers to access your accounts even if they steal your credentials.
These multi-layered redirect tactics are designed to exploit trust and bypass existing defenses. By understanding these threats and practicing good cyber hygiene, we can all contribute to a more secure digital environment.