Hackers are stealing Microsoft 365 accounts by abusing link-wrapping services
- Crooks are using link wrapping services to entice victims into clicking
- The links redirect the victims to a fake Microsoft 365 landing page
- The campaign has been going on for at least two months
Cybercriminals are abusing Proofpoint’s and Intermedia’s “link wrapping” service to bypass email protections, create convincing phishing emails, and ultimately – steal people’s Microsoft 365 credentials. This is according to cybersecurity researchers from Cloudflare, who have been observing such campaigns in the wild for at least two months.
Proofpoint’s link‑wrapping service, known as URL Defense, protects users by rewriting every inbound email link to route through Proofpoint’s inspection gateway before it reaches the actual recipient. When a person clicks a link in an email, it is evaluated in real-time (including sandbox detonation and reputation checks) and is only granted access if the link is deemed safe.
But here’s the catch: all original URLs are embedded within the encoded rewritten link (usually prefixed with “urldefense.proofpoint.com) which, as a side-effect, creates a sense of security with the recipients, making it more likely they will actually click it.
Active campaign
Cybercriminals were seen creating brand new landing pages that mimic the Microsoft 365 login screen, and as such, are not yet flagged by security products. They would then shorten the URLs to those pages using popular URL shorteners such as Bitly. The next step is to break into email accounts already protected by Proofpoint, and use them to wrap the shortened URL.
The final step is to distribute the shortened and wrapped URL, often through the very same email accounts that were compromised earlier.
Cloudflare says it’s seen multiple attacks already, with crooks sending fake voice mail notification emails, and fake shared Microsoft Teams documents. Victims who don’t spot the attack go through a chain of redirects, landing at a page where they’re asked for their Microsoft 365 login credentials.
As a rule of thumb, links in emails should be carefully reviewed before being clicked, especially if the emails carry any sense of urgency with them.
You might also like
Crooks are using link wrapping services to entice victims into clicking The links redirect the victims to a fake Microsoft 365 landing page The campaign has been going on for at least two months Cybercriminals are abusing Proofpoint’s and Intermedia’s “link wrapping” service to bypass email protections, create convincing phishing…
