Attackers abusing Proofpoint & Intermedia link wrapping to deliver phishing payloads
Threat spotlight - July 30, 2025
Overview
From June 2025 through July 2025, the Cloudflare Email Security team has been tracking a cluster of cybercriminal threat activity leveraging Proofpoint and Intermedia link wrapping to mask phishing payloads, exploiting human trust and detection delays to bypass defenses.
Link wrapping is designed by vendors like Proofpoint to protect users by routing all clicked URLs through a scanning service, allowing them to block known malicious destinations at the moment of click. For example, an email link to http://malicioussite[.]com might become https://urldefense[.]proofpoint[.]com/v2/url?u=httpp-3A__malicioussite[.]com. While this is effective against known threats, attacks can still succeed if the wrapped link hasn’t been flagged by the scanner at click time.
Recent campaigns observed by the Cloudflare Email Security team reveal how attackers are abusing Proofpoint’s and Intermedia’s link wrapping features to bypass detection and redirect victims to a variety of Microsoft Office 365 phishing pages. This technique is particularly dangerous as victims are much more likely to click on a ‘trusted’ Proofpoint or Intermedia URL than an unwrapped phishing link.
Campaign examples: Proofpoint
Proofpoint link wrapping abuse is centered around gaining unauthorized access to Proofpoint-protected email accounts (i.e., accounts already leveraging Proofpoint URL wrapping). The attacker likely uses these accounts to "launder" malicious URLs through Proofpoint’s link wrapping, distributing the newly legitimized links in phishing campaigns–either directly from the Proofpoint-protected account or via another compromised account or actor-controlled account.
Attackers abused Proofpoint link wrapping in a variety of ways, including multi-tiered redirect abuse with URL shorteners via compromised accounts. With this particular technique, attackers increase obfuscation by first shortening their malicious link using a public URL shortener like Bitly. After sending the shortened link via a Proofpoint-protected account, Proofpoint wraps the link, creating a redirect chain, where each link in the chain adds a layer of obfuscation: URL shortener → Proofpoint wrap → phish landing page.
Below is an example phishing message leveraging this technique. The email presents as a voicemail notification, prompting the recipient to click the hyperlinked button:
Phishing email posing as a voicemail notification containing a wrapped link
The hyperlink behind the “Listen to Voicemail” button points to a shortened URL:
This URL leads to a Proofpoint wrapped link, which in turn results in a series of redirects to a Microsoft Office 365 phishing page designed to capture credentials:
A Microsoft phishing page designed to harvest credentials
Another common campaign leveraging this technique includes a fake shared Microsoft Teams document:
Phishing email posing as a Microsoft Teams Document
Again, the hyperlink behind the “Access Teams Document” button points to a shortened URL:
https://s7ku6[.]lu/lnk/AVoAAHBNPHAAAc6tFoQAA-YEUe0AAYKJ…
This URL leads to a Proofpoint wrapped link:
https://urldefense[.]proofpoint[.]com/v2/url?u=http-3A_scra..
Which in turn results in a series of redirects to the final phish landing page:
https://scratchpaperjournal[.]com
Though the wrapped links in this particular case have been disabled and the payload links are no longer available, given the similarities in the examples and consistent use of Microsoft impersonation, the Cloudflare Email Security team strongly suspects the payload is likely directed to Microsoft phishing pages.
Campaign examples: Intermedia
The Intermedia link wrapping abuse we observed also focused on gaining unauthorized access to email accounts protected by link wrapping. Below is an example of a phishing message in which the attacker compromised an email account within an Intermedia-protected organization and used it to send phishing emails containing malicious links. Because the emails were sent from within the organization, Intermedia automatically rewrote the links as they passed through its infrastructure.
The email purports to be a ‘Zix’ Secure Message notification with a ‘View Secure Document’ lure:
Phishing email containing wrapped link sent via compromised account
The hyperlink in the ‘View Secure Document’ button is an Intermedia-wrapped URL:
The url[.]emailprotection[.]link URL then redirects to a Constant Contact page, where the actual phishing page was staged:
Constant Contact redirect from url[.]emailprotection[.]link
Another common campaign leveraging this technique includes a fake shared Word document:
Phishing email with a link to a fake shared Word document
The hyperlink in the ‘Go to file’ button is again an Intermedia-wrapped URL:
This link redirects to a Microsoft phishing page designed to harvest credentials:
Microsoft phishing page designed to harvest credentials
Another clever use of this technique involved the impersonation of Microsoft Teams:
Phishing email with a link to a fake Teams message
The hyperlink in the ‘Reply in Teams’ button is the following wrapped link:
Again, this link redirects to a Microsoft phishing page designed to capture credentials:
Microsoft phishing page designed to harvest credentials
Impact
By cloaking malicious destinations with legitimate urldefense[.]proofpoint[.]com and url[.]emailprotection URLs, these phishing campaigns’ abuse of trusted link wrapping services significantly increases the likelihood of a successful attack. Attackers exploit the inherent trust users place in these security tools, which can lead to higher click-through rates and a greater probability of impacts such as:
Direct financial loss: By making fraudulent links appear legitimate, attackers lower user suspicion at the critical moment of click-time, making direct financial loss more likely. In 2024, email was the method of contact for 25% of fraud reports. Of these, 11% resulted in financial loss, amounting to an aggregate loss of $502 million and a median loss of $600 per incident.
Compromise of personal accounts leading to identity theft: Link wrapping could serve as a highly reliable method for harvesting personal data. Phishing campaigns are a primary method for attackers to obtain personal information, contributing to 1.1 million identity theft reports in 2024, with credit card fraud and government benefits fraud being top categories.
Significant time burden for victims: Victims of identity theft, often initiated through phishing, face substantial time burdens, with tax-related cases averaging over 22 months (676 days) for resolution in Fiscal Year 2024.
Phishing as leading breach method: Comcast research shows 67% of all breaches start with someone clicking on a seemingly safe link.
Credential theft via phishing: The 300% spike in credential theft incidents observed by Picus Security in 2024 can be fueled by more effective phishing techniques like link wrapping.
Mitigation and detection
Because this campaign abuses the trusted domains of security providers, conventional reputation-based URL filtering is ineffective. The following detections were written by Cloudflare Email Security to protect against phishing campaigns leveraging the link wrapping techniques described. They leverage a variety of signals based on historical campaign data, and incorporate machine learning models trained on messages containing link wrapping URLs.
SentimentCM.HR.Self_Send.Link_Wrapper.URL
SentimentCM.Voicemail.Subject.URL_Wrapper.Attachment
Indicators of compromise
| Malicious URLs |
|---|
Email Detection Fingerprints (EDF)
| Fingerprints. |
|---|
0a454b5ae642aa6131c9f6734590e205cb84:258ecaee8d3b24963cce163874a3 |
