The Trust Trap: Phishing Attacks Weaponize Security Tools by Abusing Proofpoint & Intermedia Link Wrapping
Ddos 
A Microsoft phishing page designed to harvest credentials | Image: Cloudflare
The Cloudflare Email Security team has exposed a wave of phishing attacks that abuse link wrapping servicesβtypically used for user protectionβto deceive recipients and successfully bypass email defenses. From June through July 2025, attackers cleverly manipulated the very technologies designed to safeguard users, such as Proofpoint and Intermedia link wrapping, to deliver malicious payloads under the guise of trusted URLs.
Link wrapping services like Proofpoint and Intermedia are designed to scan and block malicious URLs by rerouting them through security gateways. This creates sanitized, recognizable links such as:
However, this safety net only works if the threat is already known at the time of the click. As Cloudflare puts it:
βAttacks can still succeed if the wrapped link hasnβt been flagged by the scanner at click time.β
In recent campaigns, attackers exploited this delayβusing link wrapping to legitimize phishing links before scanners had a chance to catch up.
One notable campaign abused Proofpoint-wrapped links combined with public URL shorteners to create deep redirect chains that obfuscated the final destination: Microsoft 365 phishing pages. For example, a phishing email mimicking a voicemail notification used the button “Listen to Voicemail” to trick users into clicking a multi-tiered link redirect:
Another attack impersonated Microsoft Teams, urging recipients to “Access Teams Document” or “Reply in Teams,” all via wrapped links that appeared trustworthy but ultimately redirected users to malicious pages designed to harvest credentials.
Cloudflare notes:
βVictims are much more likely to click on a βtrustedβ Proofpoint or Intermedia URL than an unwrapped phishing link.β
Intermedia link wrapping was similarly abused, especially via compromised accounts within protected organizations. One phishing email appeared as a Zix Secure Message, containing a βView Secure Documentβ button that linked to:
This URL eventually redirected to a Constant Contact-hosted phishing site, demonstrating how even legitimate marketing platforms can become unwitting accomplices in credential theft.
What makes this tactic so effective is the psychological comfort users derive from seeing familiar domains like Proofpoint or Intermedia in URLs. Cloudflare emphasizes:
βBy cloaking malicious destinations with legitimate urldefense.proofpoint.com and url.emailprotection.link URLs, attackers significantly increase the likelihood of a successful attack.β
As attackers turn defense mechanisms into delivery systems, organizations must adapt by incorporating behavior-based analysis, URL detonation, and user education into their security stack.
Related Posts:
- Turla Leverages ‘Pelmeni Wrapper’ for Stealthy Kazuar Backdoor Delivery
- Spring Security Flaw Leaves Applications Open to Unauthorized Access
- Cloudflare Pulls the Plug on HTTP: API Now HTTPS-Only
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
