The Cloudflare Email Security team has been tracking a series of cybercriminal activities from June 2025 to July 2025. These attackers are exploiting Proofpoint and Intermedia’s link wrapping feature to hide phishing payloads. This technique is particularly dangerous because victims are more likely to click on a trusted Proofpoint or Intermedia URL than on an unwrapped phishing link. These campaigns manipulate the trust users have in these security tools, leading to higher click-through rates. The attacks redirect victims to various Microsoft Office 365 phishing pages.
Link wrapping is designed to protect users by routing all clicked URLs through a scanning service that blocks known malicious destinations at the time of the click. However, as Cloudflare observed, attacks can still be successful if the wrapped link has not yet been flagged by the scanner. The abuse of these services can lead to several impacts:
- Direct financial loss: Phishing campaigns can lead to direct financial loss by making fraudulent links appear legitimate, lowering user suspicion at the moment of the click. In 2024, email was the contact method for 25% of fraud reports, with 11% of those resulting in financial loss, amounting to an aggregate loss of $502 million.
- Compromise of personal accounts: Link wrapping can be a reliable method for harvesting personal data, which contributes to identity theft. In 2024, there were 1.1 million identity theft reports, with credit card fraud and government benefits fraud being the top categories.
- Significant time burden for victims: Identity theft victims, often from phishing attacks, face a substantial time burden, with tax-related cases taking an average of over 22 months to resolve in fiscal year 2024.
- Phishing as a leading cause of breaches: Research from Comcast shows that 67% of all breaches start with a user clicking on a seemingly safe link.
- Credential theft: The 300% increase in credential theft incidents observed by Picus Security in 2024 can be fueled by more effective phishing methods like link wrapping.
Conventional reputation-based URL filtering is ineffective against these campaigns because they abuse the trusted domains of security providers. Cloudflare’s Email Security team has created new detections using historical campaign data and machine learning models to protect against these types of phishing attacks.
Bashar Bashaireh, AVP Middle East, Türkiye & North Africa at Cloudflare, stated, “Threat actors are constantly evolving their tactics to exploit even the most trusted layers of email security. What we’re seeing with the abuse of link wrapping is a stark reminder that attackers are not just targeting users — they’re manipulating the very systems meant to protect them. At Cloudflare, our mission is to stay ahead of these threats with proactive, AI-powered detection and comprehensive visibility across the email attack surface. We’re committed to helping organizations in the Middle East and globally close these blind spots and build a more secure digital environment.”
