The Cloudflare Email Security team has uncovered a cybercrime campaign abusing Proofpoint and Intermedia link wrapping to deliver Microsoft 365 phishing payloads while bypassing traditional email security defenses. This phishing technique takes advantage of the trust users place in well-known security providers and the detection delays in scanning systems.
Link wrapping, used by email security vendors like Proofpoint, routes clicked URLs through a scanning service (e.g., urldefense.proofpoint.com) to block known malicious destinations. However, Cloudflare’s threat intelligence reveals that attackers are embedding phishing links within these trusted wrapped URLs, enabling them to evade detection if the malicious destination is not flagged at click time.
From June to July 2025, Cloudflare tracked multiple campaigns redirecting victims to Microsoft Office 365 phishing sites. By masking malicious domains under legitimate urldefense.proofpoint.com or url.emailprotection links, threat actors dramatically increased click-through rates, exploiting user trust in these security layers.
Bashar Bashaireh, AVP Middle East, Türkiye & North Africa at Cloudflare, warns stating, “Threat actors are manipulating the very systems designed to protect users. The abuse of link wrapping underscores the need for AI-powered detection and complete visibility across the email attack surface.”
The impact of such attacks can be severe. Victims face risks including financial fraud, identity theft, and credential compromise. In 2024, phishing accounted for 67% of all data breaches, with 25% of fraud cases originating from email. Phishing-related identity theft led to over 1.1 million reports, and incidents of credential theft surged by 300%, according to Picus Security.
Cloudflare’s detection systems now deploy machine learning models trained on historical phishing campaign data to identify malicious use of link wrapping, with detection signatures such as SentimentCM.HR.Self_Send.Link_Wrapper.URL and SentimentCM.Voicemail.Subject.URL_Wrapper.Attachment. Cloudflare urges organizations to strengthen phishing protection strategies and close detection gaps in their email security infrastructure to combat these advanced social engineering attacks.
