Cloudflare Email Security researchers have identified a sophisticated cybercriminal campaign operating between June and July 2025 that exploits legitimate link wrapping services from Proofpoint and Intermedia to bypass email security defenses.
The attackers leverage these trusted security tools to cloak malicious URLs, significantly increasing the likelihood of successful phishing attacks by exploiting user trust in established security vendors.
Attack Methodology and Technical Details
The campaign centers on compromising email accounts already protected by Proofpoint or Intermedia link wrapping services.
Attackers use these compromised accounts to “launder” malicious URLs through legitimate link wrapping infrastructure, creating a false sense of security for recipients.
The technique transforms suspicious links into trusted domains like urldefense.proofpoint.com and url.emailprotection.link, making them appear legitimate to both security systems and end users.
An exceptionally sophisticated variant employs multi-tiered redirect abuse, where attackers first shorten malicious URLs using public services like Bitly, then send them through Proofpoint-protected accounts.
This creates a complex redirect chain: URL shortener → Proofpoint wrap → final phishing destination. Each layer adds obfuscation, making detection significantly more challenging for traditional security measures.
The attackers demonstrate technical sophistication by understanding how link wrapping services operate.
Proofpoint’s system, for example, routes clicked URLs through scanning services to block known malicious destinations at click-time.
However, this protection fails when wrapped links haven’t been flagged by scanners, creating a critical vulnerability window that cybercriminals exploit.
Campaign Examples and Impact
Security researchers documented multiple campaign variants, including fake voicemail notifications and Microsoft Teams document sharing lures.
In one example, a seemingly legitimate voicemail notification contained a “Listen to Voicemail” button linking to a complex URL chain that ultimately redirected victims to Microsoft Office 365 credential harvesting pages.
Similarly, Intermedia-protected organizations experienced attacks where compromised internal accounts sent phishing emails with automatically wrapped malicious links.
These campaigns frequently impersonated Microsoft services, including fake Zix Secure Message notifications and Teams document sharing attempts.
The financial and operational impact is substantial. Email-based fraud resulted in $502 million in aggregate losses in 2024, with 11% of email fraud reports leading to economic harm.
The technique’s effectiveness stems from exploiting user trust in security tools, potentially increasing click-through rates significantly compared to unwrapped phishing links.
Detection and Mitigation Efforts
Conventional reputation-based URL filtering proves ineffective against these attacks since they abuse trusted security vendor domains.
Cloudflare has developed specialized detection rules leveraging machine learning models trained on historical campaign data and link-wrapping URL patterns.
These include detection fingerprints like SentimentCM.HR.Self_Send.Link_Wrapper.URL and SentimentCM.Voicemail.Subject.URL_Wrapper.Attachment specifically designed to identify wrapped link abuse.
Organizations must implement advanced behavioral analysis and user training programs that emphasize verifying sender authenticity, regardless of link appearance, to effectively counter these sophisticated social engineering techniques.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
