Cybersecurity researchers have disclosed details of a new phishing campaign that conceals malicious payloads by abusing link wrapping services from Proofpoint and Intermedia to bypass defenses.
“Link wrapping is designed by vendors like Proofpoint to protect users by routing all clicked URLs through a scanning service, allowing them to block known malicious destinations at the moment of click,” the Cloudflare Email Security team said.
“While this is effective against known threats, attacks can still succeed if the wrapped link hasn’t been flagged by the scanner at click time.”
The activity, observed over the last two months, once again illustrates how threat actors find different ways to leverage legitimate features and trusted tools to their advantage and perform malicious actions, in this case, redirecting victims to Microsoft 365 phishing pages.
It’s noteworthy that the abuse of link wrapping involves the attackers gaining unauthorized access to email accounts that already use the feature within an organization, so that any email message containing a malicious URL sent from that account is automatically rewritten with the wrapped link (e.g., urldefense.proofpoint[.]com/v2/url?u=<malicious_website>).
Another important aspect concerns what Cloudflare calls “multi-tiered redirect abuse,” in which the threat actors first cloak their malicious links using a URL shortening service like Bitly, and then send the shortened link in an email message via a Proofpoint-secured account, causing it to be obscured a second time.
This behavior effectively creates a redirection chain, where the URL passes through two levels of obfuscation – Bitly and Proofpoint’s URL Defense – before taking the victim to the phishing page.
In the attacks observed by the web infrastructure company, the phishing messages masquerade as voicemail notifications, urging recipients to click on a link to listen to them, ultimately directing them to a bogus Microsoft 365 phishing page designed to capture their credentials.
Alternate infection chains employ the same technique in emails that notify users of a supposed document received on Microsoft Teams and trick them into clicking on booby-trapped hyperlinks.
A third variation of these attacks impersonates Teams in emails, claiming that they have unread messages and that they can click on the “Reply in Teams” button embedded in the messages to redirect them to credential harvesting pages.
“By cloaking malicious destinations with legitimate urldefense[.]proofpoint[.]com and url[.]emailprotection URLs, these phishing campaigns’ abuse of trusted link wrapping services significantly increases the likelihood of a successful attack,” Cloudflare said.
The development comes amid a spike in phishing attacks that weaponize Scalable Vector Graphics (SVG) files to get around traditional anti-spam and anti-phishing protections and initiate multi-stage malware infections.
“Unlike JPEG or PNG files, SVG files are written in XML and support JavaScript and HTML code,” the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) said last month. “They can contain scripts, hyperlinks, and interactive elements, which can be exploited by embedding malicious code within harmless SVG files.”
Phishing campaigns have also been observed embedding fake Zoom videoconferencing links in emails that, when clicked, trigger a redirection chain to a fake page that mimics a realistic-looking interface, after which they are served a “meeting connection timed out” message and taken to a phishing page that prompts them to enter their credentials to rejoin the meeting.
“Unfortunately, instead of ‘rejoining,’ the victim’s credentials along with their IP address, country, and region are exfiltrated via Telegram, a messaging app notorious for ‘secure, encrypted communications,’ and inevitably sent to the threat actor,” Cofense said in a recent report.