The Cloudflare Email Security team has been tracking a series of cybercriminal activities from June 2025 to July 2025. These attackers are exploiting Proofpoint and Intermedia’s link wrapping feature to hide phishing payloads. This technique is particularly dangerous because victims are more likely to click on a trusted Proofpoint or Intermedia URL than on an unwrapped phishing link. These campaigns manipulate the trust users have in these security tools, leading to higher click-through rates. The attacks redirect victims to various Microsoft Office 365 phishing pages.
Link wrapping is designed to protect users by routing all clicked URLs through a scanning service that blocks known malicious destinations at the time of the click. However, as Cloudflare observed, attacks can still be successful if the wrapped link has not yet been flagged by the scanner. The abuse of these services can lead to several impacts:
- Direct financial loss: Phishing campaigns can lead to direct financial loss by making fraudulent links appear legitimate, lowering user suspicion at the moment of the click. In 2024, email was the contact method for 25% of fraud reports, with 11% of those resulting in financial loss, amounting to an aggregate loss of $502 million.
- Compromise of personal accounts: Link wrapping can be a reliable method for harvesting personal data, which contributes to identity theft. In 2024, there were 1.1 million identity theft reports, with credit card fraud and government benefits fraud being the top categories.
- Significant time burden for victims: Identity theft victims, often from phishing attacks, face a substantial time burden, with tax-related cases taking an average of over 22 months to resolve in fiscal year 2024.
- Phishing as a leading cause of breaches: Research from Comcast shows that 67% of all breaches start with a user clicking on a seemingly safe link.
- Credential theft: The 300% increase in credential theft incidents observed by Picus Security in 2024 can be fueled by more effective phishing methods like link wrapping.
Conventional reputation-based URL filtering is ineffective against these campaigns because they abuse the trusted domains of security providers. Cloudflare’s Email Security team has created new detections using historical campaign data and machine learning models to protect against these types of phishing attacks.
Bashar Bashaireh, AVP Middle East, Türkiye & North Africa at Cloudflare, stated, “Threat actors are constantly evolving their tactics to exploit even the most trusted layers of email security. What we’re seeing with the abuse of link wrapping is a stark reminder that attackers are not just targeting users — they’re manipulating the very systems meant to protect them. At Cloudflare, our mission is to stay ahead of these threats with proactive, AI-powered detection and comprehensive visibility across the email attack surface. We’re committed to helping organizations in the Middle East and globally close these blind spots and build a more secure digital environment.”
Following this announcement, Proofpoint has shared an official statement with Arabian Reseller. The company said, “Proofpoint is aware of threat actors abusing URL redirects and Proofpoint URL protection in ongoing phishing campaigns. This is a technique we have observed from multiple security service providers who provide email protection/URL rewrites. In these campaigns, a threat actor can either abuse an open redirect to link to a rewritten URL, or compromise an email account that belongs to someone with email protection. They then send an email with a phishing link from the compromised account.”
Proofpoint further added, “The security service rewrites the URL, and the threat actor ensures the link is not blocked. The attacker will then take the rewritten URL and include it in various redirect chains. Proofpoint has observed threat actors use this technique and abuse multiple security vendor URLs, including Sophos and Cisco. Proofpoint detects these campaigns via our behavioral AI detection engine, and the messages are discarded. We also block the final URL at the end of the redirect chain to prevent exploitation. Whenever threat actors choose to use a rewritten URL from any security service, including Proofpoint, it means that as soon as the security service blocks the final URL, the entire attack chain will be blocked for every recipient of the campaign whether the recipient was a customer of the security service or not.”
Editor’s Note: Article updated on 11th August 2025, by adding an official statement from Proofpoint.
