Cloudflare ‘s email security team recently uncovered a new phishing technique. Attackers are using compromised email accounts to disguise malicious links via legitimate link wrapping services. Services like those from Proofpoint or Intermedia rewrite incoming links to trustworthy domains and scan them automatically, a protection mechanism that, in this case, becomes a gateway.

The links look deceptively genuine

The attackers shorten their links using URL shorteners and send them via hacked accounts. The security solutions provide the links with a “secure” domain, which makes them appear legitimate. But behind the URLs lurk phishing pages that deceptively mimic Microsoft 365 login pages. Subject lines such as “New voicemail,” “Secure document for retrieval,” or “New message in Microsof

See Full Page