A threat actor has been abusing link wrapping services from reputed technology companies to mask malicious links leading to Microsoft 365 phishing pages that collect login credentials.
The attacker exploited the URL security feature from cybersecurity company Proofpoint and cloud communications firm Intermedia in campaigns from June through July.
Some email security services include a link wrapping feature that rewrites the URLs in the message to a trusted domain and passes them through a scanning server designed to block malicious destinations.
Legitimizing phishing URLs
Cloudflare’s Email Security team discovered that the adversary legitimized the malicious URLs after compromising Proofpoint and Intermedia-protected email accounts, and likely used their unauthorized access to distribute the “laundered” links.
“Attackers abused Proofpoint link wrapping in a variety of ways, including multi-tiered redirect abuse with URL shorteners via compromised accounts,” the researchers said.
"The Intermedia link wrapping abuse we observed also focused on gaining unauthorized access to email accounts protected by link wrapping“ - Cloudflare Email Security
The threat actor added an obfuscation layer by first shortening the malicious link before sending it from a protected account, which automatically wrapped the link.
The researchers say that the attacker lured victims with fake notifications for voicemail or shared Microsoft Teams documents. At the end of the redirect chain was a Microsoft Office 365 phishing page that collected credentials.
Microsoft 365 phishing delivered by exploiting link-wrapping feature
... continue reading