Phishing Attacks Weaponize Security Tools by Abusing Proofpoint & Intermedia Link Wrapping

Email protection mechanisms, originally conceived as a bulwark against malicious links, have ironically become unwitting allies to cybercriminals. Researchers have uncovered a troubling trend: threat actors are increasingly exploiting “link wrappers” provided by platforms such as Proofpoint and Intermedia to disguise phishing downloads. Rather than intercepting threats, these tools now inadvertently facilitate their dissemination—shielded by the user’s trust in reputable services.

According to Cloudflare, the essence of the attack lies in obfuscating and “sanitizing” malicious URLs by embedding them within trusted domains used by filtering services. These links pass through intermediary gateways like urldefense[.]proofpoint[.]com or url[.]emailprotection[.]link, which are intended to scan the destination at the moment of click. However, once corporate accounts are compromised, attackers can distribute such wrapped URLs en masse—often evading detection, as the malicious content remains cloaked within a veneer of legitimacy.

The observed campaigns exhibit carefully orchestrated redirect chains: an initial link-shortening service like Bitly is followed by a Proofpoint or Intermedia wrapper, culminating in a phishing page that perfectly mimics Microsoft 365 or Teams interfaces. This layered structure drastically increases the likelihood of credential theft—users perceive a familiar URL and are thus less likely to suspect deception.

Such tactics are particularly prevalent in attacks launched via previously hijacked corporate email accounts. In one instance involving Proofpoint, attackers disseminated emails disguised as voicemail notifications or shared document alerts. A representative attack led users from a Bitly link to urldefense[.]proofpoint[.]com, then redirected them via gojo[.]lci-nd[.]com to a counterfeit Microsoft login page where credentials were siphoned off in real time.

Intermedia’s infrastructure proved equally susceptible. Here, a compromised account triggered automatic wrapping of outbound malicious links, visually presenting them as secure Zix messages or Microsoft documents. These emails rerouted victims through marketing platforms like Constant Contact, ultimately delivering them to phishing portals crafted for data theft.

The implications are significant. According to the U.S. Federal Trade Commission, email fraud inflicted over $500 million in damages in 2024 alone. More than 1.1 million identity theft incidents were reported, with recovery from tax-related fraud averaging 22 months. Meanwhile, Comcast and Picus Security note that phishing was the initial vector in 67% of successful breaches, contributing to a staggering 300% surge in credential theft.

Traditional filters are no longer sufficient to combat such sophisticated threats. Effective countermeasures must rely on advanced detection strategies rooted in machine learning and behavioral analytics. Modern defense systems should assess sender history, link structures, message context, and even emotional tone to identify attacks before the user ever clicks.

This adaptive approach—considering the sender’s behavioral history, the message’s sentiment, and the link’s architecture—enables proactive threat detection. Yet the very fact that mechanisms designed to safeguard users are now being co-opted by attackers raises urgent questions about the security of trusted platforms and the pressing need to rethink their foundational architecture.