Credential Theft Alert: Microsoft 365 Users Targeted by Multi-Stage Redirect Scams

 


New Phishing Campaign Exploits Link Wrapping to Target Microsoft 365 Users

Cybercriminals are leveraging trusted security tools like Proofpoint and Intermedia’s link wrapping services in a sophisticated phishing campaign aimed at stealing Microsoft 365 credentials.

According to researchers from the Cloudflare Email Security team, attackers are now abusing legitimate email security features to bypass detection and lure users to credential-harvesting pages using a multi-layered redirection technique.



What is Link Wrapping—and How It's Being Abused

Link wrapping is commonly used by email security platforms such as Proofpoint to scan and sanitize outbound links by redirecting them through a secured scanning URL. For example:


This mechanism is designed to catch malicious links at the moment of click. However, as Cloudflare warns, if the malicious destination hasn’t yet been flagged by the scanner, the attack can proceed undetected.


Multi-Tier Redirect Chains Amplify the Threat

Threat actors are going a step further with “multi-tiered redirect abuse.” Here’s how the chain typically works:

  1. Initial Cloaking: The malicious link is first shortened using a service like Bitly.

  2. Secondary Wrapping: The shortened URL is then sent from a compromised account protected by Proofpoint or Intermedia, causing it to be wrapped a second time.

  3. Final Destination: Victims clicking the link are funneled through these two obfuscation layers and ultimately arrive at a fake Microsoft 365 login page.

This layered approach makes the URLs appear safe and familiar, significantly increasing the success rate of the phishing attempt.


Attack Variants: More Than Just Voicemails

Researchers have identified multiple social engineering lures being used in these campaigns, including:

  • Fake voicemail notifications prompting users to “listen now.”

  • Spoofed Microsoft Teams emails claiming new document access or unread messages.

  • Phony “Reply in Teams” buttons leading to credential harvesting pages.

  • Fake Zoom meeting invites that display a "connection timed out" message before redirecting to a phishing page.

All these variants ultimately direct users to realistic-looking login portals designed to steal usernames and passwords.


SVG-Based Phishing Escalates

Adding another layer of complexity, Scalable Vector Graphics (SVG) files are increasingly used to smuggle malicious content. Unlike JPEG or PNG images, SVGs are text-based and can embed JavaScript, HTML, and hyperlinks, making them ideal for sophisticated phishing payloads.

As noted by the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC), attackers are exploiting this format to launch multi-stage malware infections and bypass traditional anti-phishing tools.


Takeaways and Recommendations

This campaign underscores a critical trend: attackers are abusing trusted security tools and legitimate services to bypass defenses. To protect against these threats:

  • Inspect wrapped links carefully, even if they appear to be from trusted services.

  • Implement layered email defenses, including advanced threat detection.

  • Train employees to recognize suspicious redirect behavior and fake notifications.

  • Monitor for unusual activity on Microsoft 365 and collaboration tools like Teams and Zoom.

No comments:

Credential Theft Alert: Microsoft 365 Users Targeted by Multi-Stage Redirect Scams

  New Phishing Campaign Exploits Link Wrapping to Target Microsoft 365 Users Cybercriminals are leveraging trusted security tools like Proo...