DUBAI, UAE, 8th August, 2025: From June 2025 through July 2025, the Cloudflare Email Security team has been tracking a cluster of cybercriminal threat activity leveraging Proofpoint and Intermedia link wrapping to mask phishing payloads, exploiting human trust and detection delays to bypass defenses.
Link wrapping is designed by vendors like Proofpoint to protect users by routing all clicked URLs through a scanning service, allowing them to block known malicious destinations at the moment of click. For example, an email link to http://malicioussite[.]com might become https://urldefense[.]proofpoint[.]com/v2/url?u=httpp-3A__malicioussite[.]com. While this is effective against known threats, attacks can still succeed if the wrapped link hasn’t been flagged by the scanner at click time.
Recent campaigns observed by the Cloudflare Email Security team reveal how attackers are abusing Proofpoint’s and Intermedia’s link wrapping features to bypass detection and redirect victims to a variety of Microsoft Office 365 phishing pages. This technique is particularly dangerous as victims are much more likely to click on a ‘trusted’ Proofpoint or Intermedia URL than an unwrapped phishing link.
Impact
By cloaking malicious destinations with legitimate urldefense[.]proofpoint[.]com and url[.]emailprotection URLs, these phishing campaigns’ abuse of trusted link wrapping services significantly increases the likelihood of a successful attack. Attackers exploit the inherent trust users place in these security tools, which can lead to higher click-through rates and a greater probability of impacts such as:
· Direct financial loss: By making fraudulent links appear legitimate, attackers lower user suspicion at the critical moment of click-time, making direct financial loss more likely. In 2024, email was the method of contact for 25% of fraud reports. Of these, 11% resulted in financial loss, amounting to an aggregate loss of $502 million and a median loss of $600 per incident.
· Compromise of personal accounts leading to identity theft: Link wrapping could serve as a highly reliable method for harvesting personal data. Phishing campaigns are a primary method for attackers to obtain personal information, contributing to 1.1 million identity theft reports in 2024, with credit card fraud and government benefits fraud being top categories.
· Significant time burden for victims: Victims of identity theft, often initiated through phishing, face substantial time burdens, with tax-related cases averaging over 22 months (676 days) for resolution in Fiscal Year 2024. · Phishing as leading breach method: Comcast research shows 67% of all breaches start with someone clicking on a seemingly safe link.
· Credential theft via phishing: The 300% spike in credential theft incidents observed by Picus Security in 2024 can be fueled by more effective phishing techniques like link wrapping.
Mitigation and detection
Because this campaign abuses the trusted domains of security providers, conventional reputation-based URL filtering is ineffective. The following detections were written by Cloudflare Email Security to protect against phishing campaigns leveraging the link wrapping techniques described. They leverage a variety of signals based on historical campaign data, and incorporate machine learning models trained on messages containing link wrapping URLs.
· SentimentCM.HR.Self_Send.Link_Wrapper.URL
· SentimentCM.Voicemail.Subject.URL_Wrapper.Attachment
“Threat actors are constantly evolving their tactics to exploit even the most trusted layers of email security. What we’re seeing with the abuse of link wrapping is a stark reminder that attackers are not just targeting users — they’re manipulating the very systems meant to protect them. At Cloudflare, our mission is to stay ahead of these threats with proactive, AI-powered detection and comprehensive visibility across the email attack surface. We’re committed to helping organizations in the Middle East and globally close these blind spots and build a more secure digital environment,” concludes Bashar Bashaireh, AVP Middle East, Türkiye & North Africa at Cloudflare.
More information can be found on the blog.
-Ends-
About Cloudflare
Cloudflare, Inc. (www.cloudflare.com / @cloudflare) is on a mission to help build a better Internet. Cloudflare’s suite of products protect and accelerate any Internet application online without adding hardware, installing software, or changing a line of code. Internet properties powered by Cloudflare have all web traffic routed through its intelligent global network, which gets smarter with every request. As a result, they see significant improvement in performance and a decrease in spam and other attacks. Cloudflare was named to Entrepreneur Magazine’s Top Company Cultures 2018 list and ranked among the World’s Most Innovative Companies by Fast Company in 2019. Headquartered in San Francisco, CA, Cloudflare has offices in Austin, TX, Champaign, IL, New York, NY, San Jose, CA, Seattle, WA, Washington, D.C., Toronto, Lisbon, London, Munich, Paris, Beijing, Singapore, Sydney, and Tokyo.
