Unmasking a New Phishing Campaign Utilizing Link Wrapping Techniques
Cybersecurity experts have uncovered a sophisticated phishing campaign that employs link wrapping services from Proofpoint and Intermedia, creating new challenges for organizations trying to protect their digital assets. This technique uses legitimate services to obscure malicious content, allowing threat actors to bypass traditional security measures.
Understanding Link Wrapping Services
Link wrapping is a security measure designed to protect users by sending all clicked URLs through a scanning service. According to the Cloudflare Email Security team, this approach enables the detection and blocking of known malicious links at the moment a user clicks on them. However, this method is not infallible. If a wrapped link is not flagged by the scanner at click time, the attack can still succeed, leaving users vulnerable.
Recent Campaign Insights
In the past two months, researchers have observed a resurgence in this type of attack. Cybercriminals have managed to exploit the features of email services by maliciously redirecting unsuspecting victims to phishing pages that mimic Microsoft 365 login screens. The attackers gain unauthorized access to email accounts that utilize link wrapping features, leading to emails that automatically embed harmful URLs in a disguised format.
For instance, when an attacker compromises an email account, their malicious URL gets transformed into a wrapped link (e.g., urldefense.proofpoint[.]com/v2/url?u=
Multi-Tiered Redirect Abuse
Another troubling tactic noted by Cloudflare is known as "multi-tiered redirect abuse." In this scenario, cybercriminals first obfuscate their malicious links using URL shorteners like Bitly. When the shortened link is then sent from a Proofpoint-protected account, it undergoes a second layer of concealment. This creates a complex redirect chain that can easily slip through security filters, making it harder for recipients to recognize the danger.
Phishing Tactics in Action
The phishing emails often masquerade as legitimate notifications, such as voicemail alerts, urging the recipients to click on a link to listen to their messages. These links eventually lead to fraudulent pages designed to harvest sensitive credentials. Similarly, other variations of the phishing attempts involve emails claiming to notify users about documents shared in Microsoft Teams, cleverly tricking them into clicking harmful hyperlinks.
In yet another approach, attackers impersonate Teams notifications, stating that there are unread messages. The emails prompt users to click on a "Reply in Teams" button, which takes them straight to credential-harvesting sites.
The Rise of SVG-Based Phishing
In parallel with these link-wrapping abuses, there has been a noticeable increase in phishing campaigns leveraging Scalable Vector Graphics (SVG) files. Unlike traditional image formats like JPEG or PNG, SVG files are written in XML and can incorporate JavaScript and HTML code. This allows for the embedding of harmful scripts within seemingly harmless files, increasing the risk of multi-stage malware infections.
As highlighted by the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC), SVGs can contain interactive elements and hyperlinks, which can be exploited to facilitate attacks that traditional anti-spam and anti-phishing protocols may miss.
Zoom Phishing Schemes
Moreover, phishing campaigns have also targeted Zoom users, embedding fake meeting links in emails. Upon clicking these links, victims often find themselves redirected in a chain of deceptive pages that ultimately end at a phishing site. After being presented with a "meeting connection timed out" message, unsuspecting users are directed to a page that requests their login credentials.
Crucially, the gathered information—including IP address, location, and other sensitive details—is subsequently exfiltrated via Telegram, famously known for its purported encryption and secure communication features.
Conclusion
As these methods become more advanced and prevalent, it is crucial for organizations and individuals alike to remain vigilant against such phishing attempts. Understanding the tactics exploited by cybercriminals aids in developing better defenses against these threats. While technology continuously evolves, so do the strategies employed by threat actors, making cybersecurity awareness more important than ever.
