These phishing campaigns have been particularly active from June through July 2025, demonstrating a troubling trend in the exploitation of link-wrapping security features.

The misuse of trusted link wrapping services significantly raises the chances of successful phishing attacks, as noted by Cloudflare's Email Security team.

Attackers have employed various tactics, including multi-tiered redirect abuse with URL shorteners and crafting fake notifications, such as voicemail alerts or messages from Microsoft Teams, to lure victims.

Recent phishing tactics also include fake Zoom links that mislead victims into clicking through to phishing pages after displaying false messages about meeting connectivity.

The attacks observed over the last two months illustrate how threat actors manipulate legitimate features to redirect victims to phishing pages.

Cybersecurity researchers have uncovered a phishing campaign that exploits link-wrapping services from reputable companies like Proofpoint and Intermedia to create malicious links that lead to phishing pages aimed at stealing Microsoft 365 login credentials.

Link wrapping is designed to protect users by routing URLs through a scanning service; however, attackers can still succeed if the link has not been flagged as malicious.

Attackers have been able to legitimize malicious URLs by compromising email accounts protected by these link-wrapping services, allowing them to distribute 'laundered' links.

The phishing pages cleverly disguise malicious destinations under legitimate email protection URLs, significantly increasing the likelihood of successful attacks.

The report highlights a broader increase in phishing attacks that utilize Scalable Vector Graphics (SVG) files, which can embed harmful scripts and links, making them more dangerous than standard image formats.

While the abuse of legitimate services for malicious purposes is not new, the specific exploitation of link-wrapping security features represents a recent trend in phishing attacks.

In one instance involving Intermedia, phishing emails masqueraded as secure document notifications, containing URLs that redirected victims to a phishing page hosted by Constant Contact.