The lures of the phishing emails vary: Fake voicemail notifications with a button to access the message, alerts about messages allegedly received via Microsoft Teams, notifications about secure documents sent through the Zix Secure Message. But in every case, the final landing page, reached after a series of redirects, was a spoofed Microsoft Office 365 login page designed to harvest user credentials.
“This campaign’s abuse of trusted link wrapping services significantly increases the likelihood of a successful attack,” the Cloudflare researchers said. “Attackers exploit the inherent trust users place in these security tools, which can lead to higher click-through rates.”
While exploiting link-wrapping features from URL security scanners is an interesting development, the abuse of legitimate services to hide malicious payloads is neither new nor likely to disappear. Whether we’re talking about humans or software inspecting links, detection should never rely solely on domain reputation. Organizations should train their employees on how to spot phishing pages if they land on them, and automated tools should use more sophisticated content detection algorithms to identify such pages.
