Check Your Inbox: $500 Million Stolen via “Secure” Links
How protective mechanisms are helping cybercriminals steal your data
How protective mechanisms are helping cybercriminals steal your data
Email security mechanisms, originally designed to block malicious links, have unexpectedly become allies of cybercriminals. Experts have identified a troubling trend — attackers are actively exploiting link wrappers from providers like Proofpoint and Intermedia to disguise phishing downloads. Instead of stopping threats, these tools now facilitate their spread, relying on users’ trust in well-known platforms.
According to Cloudflare, the core of the attack involves replacing and “whitening” malicious URLs by wrapping them in trusted domains used by filtering services. These links pass through intermediate resources like urldefense[.]proofpoint[.]com or url[.]emailprotection[.]link, which are meant to analyze URLs at the moment of access. However, when corporate email accounts are compromised, attackers gain the ability to mass-distribute wrapped malicious links, often bypassing filters — the payload is hidden within a trusted layer.
The discovered attacks reveal a well-orchestrated chain of redirects: first a shortened URL (e.g., Bitly), then a link wrapped by Proofpoint or Intermedia, and finally a redirect to a phishing page designed to mimic Microsoft 365 or Teams interfaces. This structure greatly increases the success rate of stealing credentials, as users see familiar domains behind which fake login forms are hidden.
These schemes are especially prevalent through previously hacked corporate inboxes. In attacks involving Proofpoint, cybercriminals sent emails pretending to be voicemail notifications or shared documents. One example included a Bitly link that redirected to urldefense[.]proofpoint[.]com, then to gojo[.]lci-nd[.]com, and finally to a fake Microsoft login page — where user credentials were sent directly to the attackers.
Intermedia’s system was also vulnerable to similar manipulation. A compromised account within an organization would cause outgoing emails to automatically wrap malicious links, making them appear as secure messages from Zix or Microsoft Docs. These emails redirected recipients through email marketing platforms like Constant Contact to phishing pages designed to steal data.
The scale of the issue is significant. According to the U.S. Federal Trade Commission (FTC), email fraud caused over $500 million in damages in 2024 alone. Over 1.1 million identity theft cases were reported, and tax fraud recovery takes an average of 22 months. Reports from Comcast and Picus Security show that phishing was the entry point for 67% of successful attacks, contributing to a 300% increase in credential theft.
Traditional filters are no longer enough to protect against such threats. Effective defense now requires advanced techniques based on machine learning and behavioral analytics. Modern systems must evaluate the sender's history, URL structure, message context, and even emotional tone.
This kind of adaptive protection can detect threats before a user clicks the link by analyzing past activity, content, link structure, and emotional language. However, the fact that tools designed to protect users have become weapons for attackers raises serious concerns about the security of trusted platforms — and highlights the urgent need to rethink their architecture.
