Attackers Use Proofpoint and Intermedia Link Wrapping to Hide Malicious URLs – Source: www.techrepublic.com

Threat actors exploited Proofpoint and Intermedia link-wrapping services in phishing campaigns during June and July, according to a July 30, 2025, report by the Cloudflare Email Security team.

Link wrapping is a security feature used by Proofpoint and other vendors to scan and rewrite URLs for safety when users click them. However, attackers manipulated these protections to redirect users to credential-stealing Microsoft Office 365 pages.

Link wrapping attackers run malicious URLs through legitimate services

In order to carry out the attack, threat actors need to gain control of accounts already using link wrapping — in this case, link wrapping services from Proofpoint. Cloudflare observed that attackers used compromised accounts with active link wrapping to “launder” or disguise phishing URLs. They often used URL shorteners such as Bitly, creating a direct chain that Cloudflare described as “URL shortener → Proofpoint wrap → phish landing page.”

One such campaign delivered links in emails, disguising them as voicemail notifications. The ‘listen to voicemail’ link held the wrapped URL. The Proofpoint wrapped link ultimately led to a Microsoft Office 365 phishing page showing falsified service health alerts to trick users into entering credentials.

Another phishing campaign used compromised Intermedia-protected accounts to distribute emails that contained similarly disguised links. These malicious links wrapped in Intermedia protection functioned in a similar way. In this case, the threat actor compromised an account within an Intermedia-protected organization and sent links from there. Some of these emails disguised themselves as secure message notifications from a service called Zix, shared Word documents, or Microsoft Teams message notifications.

Proofpoint is aware of the abuse of link redirects, the company said in an email to TechRepublic.

“Proofpoint has observed threat actors use this technique and abuse multiple security vendor URLs including Sophos and Cisco,” Proofpoint threat researchers said in a prepared statement.

In addition, Proofpoint clarified that its behavioral AI detection engine can find and discard messages used in phishing campaigns.

“Whenever threat actors choose to use a re-written URL from any security service, including Proofpoint, it means that as soon as the security service blocks the final URL, the entire attack chain will be blocked for every recipient of the campaign, whether the recipient was a customer of the security service or not,” the researchers said.

How to protect against link wrapping attacks

For security personnel, Cloudflare Email Security wrote two detections for this technique:

• SentimentCM.HR.Self_Send.Link_Wrapper.URL.
• SentimentCM.Voicemail.Subject.URL_Wrapper.Attachment.

They also published indicators of compromise (IOCs) and email detection fingerprints to assist security teams in proactively identifying this technique.

For organizations and employees, the report emphasized vigilance. Do not click on links received from an unknown sender, and be aware of the normal pace and patterns of communications such as Teams messages from coworkers. Deviations from these patterns and sources may include infected links or sites designed to steal credentials, breach systems, or drain bank and crypto accounts.

In 2024, 11% of fraud reports submitted to the US Federal Trade Commission were email scams resulting in financial loss.

This article was updated with a statement from Proofpoint. 

AI startup Perplexity denies that it allegedly used stealth crawlers to scrape websites excluded from AI trawling.