In recent months, a surge in credential-phishing campaigns has unveiled a concerning trend: cybercriminals are exploiting the link-wrapping features of reputable email security platforms, notably Proofpoint’s Protect platform and Intermedia’s LinkSafe, to deliver malicious payloads. This tactic leverages the inherent trust users place in these security tools, allowing phishing emails to bypass traditional detection mechanisms and reach users’ inboxes unimpeded.
Understanding Link Wrapping and Its Exploitation
Link wrapping is a security measure employed by email protection services to safeguard users from malicious URLs. When a user clicks on a link within an email, the service redirects the request through its own servers, scanning the destination URL for potential threats before allowing access. This process is intended to prevent users from inadvertently visiting harmful websites.
However, threat actors have identified a method to manipulate this system. By embedding malicious URLs within the legitimate link-wrapping services of Proofpoint and Intermedia, attackers can disguise harmful links as benign, trusted URLs. Since corporate email filters often trust these domains, the wrapped malicious links can traverse mail gateways without inspection, landing directly in users’ inboxes.
The Mechanics of the Attack
The attack strategy is straightforward yet effective. Victims receive emails that appear to be legitimate communications, such as invoices, DocuSign requests, or shipping notices. These emails contain call-to-action buttons or links that point to URLs wrapped by Proofpoint or Intermedia.
Upon clicking, the link-wrapping service decodes the URL and silently redirects the user to an attacker-controlled site. These malicious sites are often designed to mimic legitimate login pages for services like Microsoft 365 or Okta, tricking users into entering their credentials. This method effectively circumvents heuristic URL reputation checks, as the final destination is resolved only within the user’s session, rendering traditional sandbox detections ineffective.
Detection Evasion Through URL Manipulation
Unlike traditional phishing tactics that rely on newly registered or misspelled domains, this approach exploits the conditional resolution of URLs. Proofpoint’s link wrapper, for instance, encodes the target URL in a base64-encoded `u=` parameter and includes an HMAC signature in the `k=` parameter to ensure integrity.
Security products typically verify the HMAC signature to classify the link as safe but do not dereference the payload during scanning, as doing so would break the wrapper’s anti-tampering seal. Attackers can generate a valid wrapped link by allowing Proofpoint to create the wrapper for a benign site, then modifying the base64-encoded payload without updating the signature. Proofpoint still processes the URL but cannot guarantee its authenticity, resulting in a silent forward to the malicious site.
This manipulation can be demonstrated with a simple Python script that alters the base64-encoded payload of a Proofpoint-wrapped URL, redirecting it to a malicious domain. Since the `k=` signature is not re-computed, Proofpoint flags the link as modified but still performs the redirect—a usability concession that attackers now exploit.
Real-World Implications and Campaigns
Campaign telemetry collected by open redirect sensors has identified over 180,000 phishing messages since August 1, targeting sectors such as financial services, legal firms, and higher education. In several incidents, compromised mailboxes were used within minutes to propagate the phishing lure further, amplifying internal spread while masquerading as legitimate reply threads.
For example, phishing emails posing as voicemail notifications or Microsoft Teams document shares have been observed. These emails contain buttons or links that, when clicked, lead to a series of redirects through trusted link-wrapping services, ultimately landing on phishing pages designed to harvest credentials.
Mitigation Strategies and Recommendations
The exploitation of link-wrapping services underscores the paradox where security controls, when insufficiently scoped, can become tools for adversaries. To mitigate this threat, organizations should consider the following strategies:
1. Enhanced URL Inspection: Implement security solutions that perform full URL detonation and on-endpoint heuristics to analyze the final destination of wrapped links.
2. Stripping or Rewriting Wrapped Links: Network teams should configure secure gateways to strip or rewrite wrapped links, preventing malicious URLs from reaching end-users.
3. Monitoring for Anomalies: Security Operations Centers (SOCs) should actively hunt for base64 strings within `u=` parameters that decode to external domains, identifying potential malicious activity.
4. User Education: Educate users about the risks associated with clicking on links, even those that appear to be from trusted sources, and encourage them to verify the authenticity of unexpected emails.
By adopting these measures, organizations can enhance their defenses against sophisticated phishing campaigns that exploit trusted security mechanisms.
