The Trust Trap: Phishing Attacks Weaponize Security Tools by Abusing Proofpoint & Intermedia Link Wrapping

The Cloudflare Email Security team has exposed a wave of phishing attacks that abuse link wrapping services—typically used for user protection—to deceive recipients and successfully bypass email defenses. From June through July 2025, attackers cleverly manipulated the very technologies designed to safeguard users, such as Proofpoint and Intermedia link wrapping, to deliver malicious payloads under the guise of trusted URLs.

Link wrapping services like Proofpoint and Intermedia are designed to scan and block malicious URLs by rerouting them through security gateways. This creates sanitized, recognizable links such as:

https://urldefense[.]proofpoint[.]com/v2/url?u=httpp-3A__malicioussite[.]com

However, this safety net only works if the threat is already known at the time of the click. As Cloudflare puts it:

“Attacks can still succeed if the wrapped link hasn’t been flagged by the scanner at click time.”

In recent campaigns, attackers exploited this delay—using link wrapping to legitimize phishing links before scanners had a chance to catch up.

One notable campaign abused Proofpoint-wrapped links combined with public URL shorteners to create deep redirect chains that obfuscated the final destination: Microsoft 365 phishing pages. For example, a phishing email mimicking a voicemail notification used the button “Listen to Voicemail” to trick users into clicking a multi-tiered link redirect:

URL shortener → Proofpoint wrap → phish landing page.

Another attack impersonated Microsoft Teams, urging recipients to “Access Teams Document” or “Reply in Teams,” all via wrapped links that appeared trustworthy but ultimately redirected users to malicious pages designed to harvest credentials.

Cloudflare notes:

“Victims are much more likely to click on a ‘trusted’ Proofpoint or Intermedia URL than an unwrapped phishing link.”

Intermedia link wrapping was similarly abused, especially via compromised accounts within protected organizations. One phishing email appeared as a Zix Secure Message, containing a ‘View Secure Document’ button that linked to:

https://url.emailprotection.link/?...

This URL eventually redirected to a Constant Contact-hosted phishing site, demonstrating how even legitimate marketing platforms can become unwitting accomplices in credential theft.

What makes this tactic so effective is the psychological comfort users derive from seeing familiar domains like Proofpoint or Intermedia in URLs. Cloudflare emphasizes:

“By cloaking malicious destinations with legitimate urldefense.proofpoint.com and url.emailprotection.link URLs, attackers significantly increase the likelihood of a successful attack.”

As attackers turn defense mechanisms into delivery systems, organizations must adapt by incorporating behavior-based analysis, URL detonation, and user education into their security stack.

Related Posts:

• Turla Leverages ‘Pelmeni Wrapper’ for Stealthy Kazuar Backdoor Delivery
• Spring Security Flaw Leaves Applications Open to Unauthorized Access
• Cloudflare Pulls the Plug on HTTP: API Now HTTPS-Only

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.