Hackers are finding new ways to steal Microsoft 365 login credentials by turning trusted security features into attack methods. Recent research from Cloudflare and Proofpoint shows that cybercriminals are abusing link‑wrapping services—commonly used by email security platforms like Proofpoint and Intermedia—to disguise malicious URLs. These phishing campaigns leverage multi‑tiered redirects and fake Microsoft 365 pages, tricking users into revealing their credentials while bypassing traditional security checks.
How Hackers Abuse Link-Wrapping to Steal Microsoft 365 Credentials
Many enterprise email security platforms, such as Proofpoint and Intermedia, offer link wrapping to protect users. This feature rewrites every URL in an email with a trusted domain and passes it through a scanning server. Its purpose is to block access to known malicious destinations at the time of click.
See also: How to Fix Disk Active Time 100% in Windows 10 and Windows 11
However, attackers have found a loophole. By gaining access to email accounts already protected by link wrapping, they can send phishing links that appear safe to recipients. Because the URL is wrapped by a trusted domain, users are more likely to click without suspicion.
Multi-Tiered Redirect Abuse
A key element of this attack is multi-tiered redirection:
- Initial Link Shortening: Hackers shorten the original malicious link using services like Bitly.
- Email Distribution from Compromised Accounts: They send the shortened link via a Proofpoint or Intermedia-secured account, which automatically wraps the link again.
- Redirection Chain: Users who click the link pass through multiple “safe-looking” redirects before landing on a fake Microsoft 365 login page designed to harvest credentials.
This multi-layered obfuscation significantly increases the likelihood of a successful phishing attempt, as most users do not inspect the full redirect path. Security analysts note that blocking the final malicious URL in the chain can neutralize the entire attack sequence for all recipients.
Common Phishing Lures
Attackers craft their emails to mimic legitimate Microsoft 365 communications, making the phishing attempt more convincing. Some observed lures include:
- Voicemail Notifications: Messages claim a new voicemail is waiting, prompting users to click a link to listen.
- Fake Microsoft Teams Messages: Emails notify recipients of unread messages or shared documents.
- “Secure Message” Alerts: Impersonating services like Zix or Constant Contact, leading to a phishing page disguised as a secure document portal.
Some campaigns also impersonate Zoom meeting invitations, where victims see a fake “meeting timed out” page before being redirected to a phishing portal.
Advanced Techniques: Bypassing MFA
Some campaigns go beyond basic phishing. Proofpoint researchers have reported attackers using Attacker-in-the-Middle (AiTM) toolkits:
- These toolkits intercept security tokens in real time.
- They allow hackers to bypass Multi-Factor Authentication (MFA), which many organizations rely on as a key defense.
- Once credentials and tokens are captured, attackers can access mailboxes and cloud services undetected.
In several cases, stolen credentials, IP addresses, and geolocation data were exfiltrated via Telegram, giving attackers real-time access to sensitive accounts.
New Microsoft 365 Phishing Tactics
This technique is not limited to Proofpoint or Intermedia. Other email security providers like Cisco and Sophos have also seen attackers exploit their URL rewrite and redirect features.
Attackers have also been observed using SVG‑based phishing emails. Unlike JPEG or PNG files, SVG files can contain embedded JavaScript and links. This allows attackers to hide multi‑stage redirects or malware payloads inside what appears to be an innocuous image.
Best Strategies to Stop Microsoft 365 Login Credential Theft
Organizations can take several proactive steps to defend against these link-wrapping phishing campaigns:
- Implement FIDO-Based Security Keys: Hardware-based keys are less susceptible to AiTM token theft.
- Enable Conditional Access Policies: Limit logins by location, device type, or risk profile.
- Educate Employees on Phishing Patterns: Training users to recognize redirect chains and suspicious prompts reduces risk.
- Monitor for Compromised Accounts: Even a single breached mailbox can trigger internal phishing waves.
- Use Advanced Behavioral AI Detection: Many email security platforms now analyze click behavior and URL patterns to detect abnormal activity.
- Inspect Non-Standard Attachments: Monitor SVG and other script-capable file types for hidden payloads.
The abuse of trusted email security features shows how phishing techniques have evolved, enabling attackers to bypass protections like multi‑factor authentication. Staying ahead requires layered defenses and user awareness, as even trusted tools can be turned against organizations.
