How Attackers Leverage Proofpoint and Intermedia Link Wrapping for Phishing Campaigns
Email security technologies are designed to safeguard users by scanning and rewriting suspicious URLs, ensuring that malicious destinations are identified before a user ever clicks. However, threat actors have begun weaponizing these very systems. By exploiting URL wrapping features in services like Proofpoint and Intermedia, attackers are successfully delivering phishing payloads that evade traditional detection measures.
Cybercriminals have developed a sophisticated attack vector that weaponizes the very security mechanisms designed to protect organizations. Between June and July 2025, our security researchers identified a cluster of threat actors exploiting Proofpoint and Intermedia link wrapping features to mask phishing payloads, transforming trusted security tools into unwitting accomplices in credential theft campaigns.
Understanding Link Wrapping Technology
Link wrapping acts as a security measure where email security providers intercept URLs in messages and reroute them through their scanning infrastructure. Services like Proofpoint or Intermedia use link-wrapping to send URLs through a scanning service, allowing them to block malicious URLs as soon as the user clicks.
This real-time process adds a security checkpoint that can neutralize threats after the email has been delivered. The technology replaces original URLs with vendor-specific wrapper URLs containing encoded destination details. When users click these links, the security service analyzes them in real time before directing traffic to the target. This method is effective against known malicious domains and offers detailed click analytics for administrators.
Anatomy of a Link Wrapping Phishing Campaign
These campaigns are often initiated by compromising legitimate accounts within organizations protected by Proofpoint or Intermedia. Once inside, attackers distribute phishing emails that appear to originate from a trusted sender. The malicious URLs, now wrapped by the security service, inherit the reputation of the wrapper domain.
Further obfuscation is achieved through multiple layers of redirection. Attackers may use link shorteners (like Bitly) before wrapping the link, adding complexity that evades static scanners. The final destination is a phishing site designed to harvest login credentials, often presented as a shared document or voicemail notification.
The Attack Methodology
First observed in late July 2025, multiple phishing clusters began embedding malicious URLs inside the legitimate link-wrapping services of Proofpoint’s Protect platform (https://urldefense.proofpoint.com/v2/url?u=) and Intermedia’s LinkSafe (https://safe.intermedia.net/?u=). The attack chain demonstrates technical sophistication through its multi-layered approach.
Threat actors begin by compromising legitimate email accounts within organizations already protected by Proofpoint or Intermedia services. This compromise grants them access to the automatic link wrapping functionality that processes all outbound messages. The attackers then craft phishing emails containing malicious URLs that the security services automatically wrap, lending apparent legitimacy to the malicious payload.
The wrapped URLs follow predictable patterns. Proofpoint-wrapped malicious links typically appear as lengthy encoded strings following the urldefense.proofpoint.com/v2/url?u= format, while Intermedia-wrapped threats utilize the safe.intermedia.net/?u= structure. These familiar URL patterns create an illusion of security validation for recipients.
Technical Evasion Techniques
The campaign demonstrates several sophisticated evasion mechanisms that exploit gaps in traditional security controls. This campaign’s abuse of trusted link wrapping services significantly increases the likelihood of a successful attack, as attackers exploit the inherent trust users place in these security tools, which can lead to higher click-through rates.
Domain reputation manipulation forms a core component of this strategy. The wrapped URLs originate from highly trusted domains associated with established security vendors, causing traditional email security solutions to assign positive reputation scores. This trust inheritance bypasses many automated filtering mechanisms that rely on domain-based reputation systems.
Time-based evasion represents another critical technique. Attackers register malicious domains immediately before campaign deployment, creating a window where the destination URLs remain unknown to threat intelligence feeds. The link wrapping services cannot block destinations that have not yet been categorized as malicious, allowing initial waves of victims to reach fraudulent login pages.
Target Focus and Impact Assessment
The attacks primarily target Microsoft 365 credentials through fake login pages, with campaigns frequently impersonating Microsoft services, including fake Zix Secure Message notifications and Teams document sharing. This focus reflects the high value of cloud productivity platform access in corporate environments.
The financial implications prove substantial. According to the FTC, email was the method of contact for 25% of fraud reports in 2024, resulting in aggregate losses of $502 million. This statistic underscores the broader economic impact of effective phishing campaigns that successfully bypass security controls.
Organizations using Proofpoint or Intermedia face heightened risk due to the false sense of security created by the wrapped URLs. Employees typically receive security awareness training emphasizing the importance of recognizing suspicious links, but the presence of trusted security vendor domains in the URL structure undermines these defensive instincts.
Detection and Mitigation Strategies
Security teams must adapt their detection methodologies to address this attack vector. Traditional URL analysis focusing solely on final destinations proves insufficient when malicious links traverse multiple redirect layers through trusted infrastructure.
Behavioral analysis provides more effective detection capabilities. Security operations centers should monitor for unusual patterns in wrapped URL destinations, particularly newly registered domains receiving significant traffic volumes. Implementing real-time analysis of final redirect destinations can identify malicious endpoints even when accessed through legitimate link wrapping services.
Network-level monitoring offers additional visibility. Organizations can deploy inline proxy solutions that perform independent analysis of wrapped URL destinations before allowing user access. This approach creates an additional security layer that operates independently of the compromised link wrapping service.
User education requires updating to address this specific threat vector. Security awareness programs should emphasize that the presence of trusted domains in URL structures does not guarantee destination safety. Training materials should include examples of legitimate wrapped URLs alongside malicious variants to improve user recognition capabilities.
Conclusion
The exploitation of Proofpoint and Intermedia link wrapping services demonstrates the sophisticated adaptation capabilities of modern threat actors. Cybercriminals are increasingly exploiting link wrapping features from vendors like Proofpoint and Intermedia to mask malicious payloads, leveraging the inherent trust users place in these security tools.
Security teams must develop multilayered detection approaches that account for the potential compromise of trusted infrastructure components. Traditional perimeter-based security models prove insufficient against attacks that successfully masquerade as legitimate security processes. The integration of behavioral analysis, real-time destination verification, and enhanced user education provides the foundation for effective defense against this attack vector.
The cybersecurity industry faces the ongoing challenge of preventing the weaponization of protective mechanisms. As security tools become more sophisticated, attackers continue finding innovative methods to exploit the trust relationships these tools create. Organizations must maintain vigilance and adaptability to address these evolving threats effectively.