Cybercriminals Exploit Link Wrapping to Steal your Microsoft Account

phishing

Cloudflare warns of a new phishing technique where attackers use link wrapping to redirect you to fake Microsoft login pages.

Phishing remains a tried-and-true method for cybercriminals, who are becoming increasingly creative in getting you to click on a malicious link. Cloudflare discovered a new technique where hackers use ‘link wrapping’ to hide fake Microsoft login pages.

read also

“Stealth Crawling” by Perplexity AI Identified in Cloudflare Research

The attack technique completely turns the purpose of link wrapping on its head. Link wrapping is the rewriting of URLs. This technique normally helps protect you against classic threats, but attackers have discovered that they can use link wrapping to disguise malicious links as safe and legitimate-looking URLs.

The attackers use legitimate tools with link wrapping features, such as Proofpoint and Intermedia. Since June, Cloudflare’s email security team has observed multiple phishing campaigns where cybercriminals used link wrapping to hide malicious links. Shortened, harmful Bitly links were routed through the tools to make them appear trustworthy.

Microsoft services like Office 365 or Teams are most frequently mimicked. Users receive an email with a button that, for example, refers to a voicemail or shared document. Behind this button lies a link processed with a wrapper, which through multiple redirects leads to a phishing page attempting to steal login credentials.

Increased Risk

The combination of trusted security domains and convincing emails increases the likelihood that users will click on the links, Cloudflare warns. This raises the risk of data theft and/or financial damage. According to Cloudflare, one in ten phishing cases could lead to financial loss: the average damage is $600, which is significant.

read also

Cybercriminals Exploit Link Wrapping to Steal your Microsoft Account

Moreover, the use of legitimate security platforms renders traditional URL filtering ineffective. Cloudflare has therefore developed specific detection rules, including machine learning models, trained on the characteristics of such manipulated links. These rules analyze, among other things, the content of emails and specific URL patterns typical of these attacks.

Cloudflare advises being extra vigilant for emails with rewritten links, especially when they imitate Microsoft services. Organizations should focus more on contextual detection and behavioral analysis instead of solely reputation-based filtering.