Attackers are using legitimate email security features to hide phishing links that steal Microsoft 365 login details.
Between June and July 2025, a threat actor exploited link-wrapping services from cybersecurity firm Proofpoint and cloud communications company Intermedia to deliver phishing emails. These services are designed to rewrite URLs and scan them for malicious content, but attackers turned the protection feature into a delivery method for credential theft.
By wrapping phishing links with trusted domains, the threat actor successfully bypassed detection and redirected users to fake Microsoft 365 login pages designed to harvest credentials.
According to Bleeping Computer, attackers initially compromised Proofpoint- and Intermedia-protected email accounts. From there, they sent phishing messages containing “laundered” URLs. In some cases, the attacker first shortened the phishing link, then sent it through the compromised accounts, triggering the automatic link-wrapping by the security services.
Victims received emails that appeared to be secure messages or Teams notifications. These emails included wrapped links that redirected to phishing pages hosted on platforms like Constant Contact. Clicking the link would take the user through a series of redirects, ultimately ending at a fake Microsoft 365 login screen.
The abuse of Intermedia’s system included impersonations of Zix secure message alerts and fake Microsoft Teams messages claiming a new notification.
Bleeping Computer noted that the attacker’s tactics included layering multiple redirection steps and abusing legitimate link-wrapping services to make phishing attempts more convincing. “Attackers abused Proofpoint link wrapping in a variety of ways, including multi-tiered redirect abuse,” the researchers said. Intermedia’s service was also compromised to distribute these links under the guise of secure email communications.
According to The Hacker News, “By cloaking malicious destinations with legitimate URLs, these phishing campaigns’ abuse of trusted link wrapping services significantly increases the likelihood of a successful attack.” Attackers used multi-step redirects and compromised accounts to send phishing emails that appeared safe, leading victims to fake Microsoft 365 login pages. The method takes advantage of security tools designed to protect users, making detection more difficult and increasing the success rate of credential theft.
Link-wrapping rewrites URLs in incoming emails to point to a secure domain that scans the destination for threats. It’s used to protect users from malicious links.
The attacker first compromised email accounts protected by Proofpoint and Intermedia, then used those accounts to send shortened phishing links that were automatically wrapped, making them appear safe.
Constant Contact wasn’t compromised. The attackers hosted their phishing pages on the platform, using its reputation to further mask the fake Microsoft login pages.
Traditional phishing relies on suspicious links or domains. This method hides phishing links behind trusted security services, making detection by users and email filters more difficult.
Security teams should implement behavioral monitoring, educate users on unexpected secure message requests, and closely monitor accounts for suspicious forwarding or login activity even from trusted domains.