Phishing Campaign Abuses Link-Wrapping Services to Steal Microsoft 365 Credentials
Cybercriminals noticed with a new, sophisticated method to get Microsoft-365 access data: they abused security functions to disguise harmful links-and thus undermine well-protected email systems.
Addendum 5th August: We have received a detailed statement by Proofpoint, which you can find at the end of this article.
Phishing with a protective shield
The method of Cloudflares email security team. According to this, the attackers already used compromised email accounts to use the so-called link wrapping services trustworthy URL covers to lay their malignant forwarding. Incoming links are rewritten by these services to secure domains and scanned automatically – a feature that became a gateway.
Abuse of established protective mechanisms
Specifically, the security researchers observed a combination of URL reduction, legitimate link wrapping technology and stolen entrances. The attackers initially shortened their links with common URL shorts, then sent them via compromised accounts that were secured via Proofpoint or Intermedia – whereupon the links were automatically provided with a trustworthy domain.
Deceptively real camouflage
E-mails with apparently harmless URLs that were not blocked by security solutions and did not suspect recipients. However, phishing sites are hidden behind the links, which have deceptively real imitated Microsoft-365 registration pages. The deceptive news wore subject lines such as “Neue Voicemail”, “Safe document for calling” or “New message in Microsoft Teams”. Particularly perfidious: in some cases it was stated that it was a safe “ZIX” message, which in turn is a well-known encryption system for confidential communication.
Link wrapping is used by providers such as Proofpoint to protect users. All clicked URL are guided via a scande service, so that well -known malicious goals can be blocked at the time of the click. Cloudflare about the current threat
A click on the apparently legitimate “Reply” button ultimately led to a fake log-in page, which served to use the access data of the users. Infographics Computer crime: Where cyber attacks have their origin
A new chapter in the phishing arsenal
The technique of abuse of legitimate services is not new – many attackers have been using cloud services such as Google Drive or Dropbox as camouflage for years. However, the targeted use of link wrapping functions-that is, of all people, is new to protect against such attacks. For IT administrators and security managers, this is a clear alarm signal: If you have so far rely on the automatic detection of malignant links, you have to rethink. Especially when defective content comes in via trustworthy domains – with supposed approval through your own security solution.
Addendum 5th August. We have achieved a Proofpoint statement, which once again illuminates the problem and explains how the company reacted to it. It says: Proofpoint is known that attackers are currently abusing the URL extensions and URL protection of the company in phishing campaigns. Proofpoint has observed this procedure for various security service providers who offer e-mail protection or URL-Rewrites. In these campaigns, attackers either abuse an open forwarding to link to a rewritten URL, or compromise an email account that has a form of email protection.
Then send an email to the compromised account with a phishing link. The security service provider rewrites the URL and the attacker ensures that the link is not blocked. Then the attacker inserts the rewritten URL into different forwarding chains. Proofpoint has observed that attackers use this technology and abuse URLs of several security providers – including Sophos and Cisco. Proofpoint recognizes these campaigns with the help of its AI-based recognition engine, which uses behavioral analyzes and sorts out the messages.
In addition, the company blocks the final URL at the end of the forwarding chain to prevent use. If attackers use a rewritten URL of a security service (including proofpoint), the entire attack chain for each recipient of the campaign is blocked as soon as the security service blocks the final URL. This applies regardless of whether the recipient is a customer of this security service or not.
Digital marketing enthusiast and industry professional in Digital technologies, Technology News, Mobile phones, software, gadgets with vast experience in the tech industry, I have a keen interest in technology, News breaking.
