Email security features are being hijacked to steal Microsoft 365 logins — what you need to know

Hackers are now leveraging this popular email security service in their attacks to send out malicious links with the aim of taking over user accounts.

As reported by Bleeping Computer, a threat actor has been abusing the link-wrapping feature included in email security services like Proofpoint and Intermedia in order to redirect users to phishing pages designed to steal user credentials, specifically Microsoft 365 logins.

This malware campaign, which ran between June and July of this year, leveraged the link-wrapping feature in some email security services. This feature rewrites the URLs in an email to ones with a trusted domain and then puts them through a scanning server which is intended to block any links that lead to malicious destinations.

However, Cloudflare’s Email Security team found that this hacker managed to compromise Proofpoint and Intermedia-protected email accounts. From there they then legitimized their malicious URLs which allowed them to use their unauthorized access to distribute ‘laundered’ links. Researchers have further stated that attackers have also abused the system by “including multi-tiered redirect abuse with URL shorteners via compromised accounts.”

The threat actor behind the campaign has added a layer of obfuscation by first shortening the malicious links then sending them from a protected account which automatically wraps the link. The targets are tricked by receiving fake voicemail notifications or shared Microsoft Teams documents. At the end of the redirect chain is a Microsoft Office 365 phishing page that collects and steals credentials.

In one of the Intermedia campaigns that used link-wrapping services to trick victims, a hacker delivered emails that claimed to be a “Zix” secure message notification. Some of these emails claimed they would allow users to view a secure document while others impersonated a Microsoft Teams communication alerting the user to a newly received message.

Instead of doing either of these things though, these fake emails contained a URL wrapped by Intermedia’s service which redirected users to a fake page that was actually a phishing site. Meanwhile, users who clicked on the reply button were led to a page that stole their login credentials.

By disguising malicious websites with these legitimate email protections, the threat actor increased the chances that a potential victim might fall for their trap.

Follow Tom's Guide on Google News to get our up-to-date news, how-tos, and reviews in your feeds. Make sure to click the Follow button.

More from Tom's Guide

• It's not surprising that the Online Safety Act doesn't cover personal data safety
• I ditched my passwords for passkeys on these 3 popular services — and it took me less than 10 minutes
• Microsoft's Windows Recall is reportedly still capturing passwords and Social Security numbers even after its relaunch