Hackers abuse link-wrapping to steal Microsoft 365 credentials

Hackers have reportedly found a unique way to bypass email security by turning protection tools into attack vectors.

Cloudflare researchers say threat actors are now abusing link wrapping services (via Bleeping Computer) from companies like Proofpoint and Intermedia to disguise malicious URLs.

The attack, active from June through July, used compromised email accounts already protected by those same services. Once inside, hackers sent out phishing links that looked safe on the surface but redirected users to fake Microsoft 365 login pages.

These messages often mimicked alerts for voicemails or shared documents on Microsoft Teams. One version pretended to be a secure message from “Zix” and led to a spoofed Constant Contact page hosting the phishing form.

The attackers shortened the original malicious link, sent it from a hijacked account, and let the email platform automatically wrap it in a trusted URL. The result was a chain of redirects that appeared legitimate.

Cloudflare’s team says attackers used “multi-tiered redirect abuse” and cleverly obfuscated final destinations. In some cases, clicking a reply button in a fake Teams message dropped users directly onto a credential-harvesting site.

By using security features meant to protect users, the threat actor increased their chances of success. While abusing trusted services in phishing isn’t new, turning link wrapping into a weapon is a newer tactic.