Cybercriminals weaponise trusted security tools to bypass detection and increase click-through rates
Cloudflare has uncovered a wave of phishing campaigns that abuse Proofpoint and Intermedia’s link wrapping services to conceal malicious destinations, enabling attackers to bypass defences and exploit user trust in security providers.
Between June and July 2025, Cloudflare’s Email Security team tracked a cluster of attacks redirecting victims to Microsoft Office 365 phishing sites. Link wrapping, intended to protect users by routing all clicked URLs through a scanning service, becomes a vulnerability if the wrapped link is not flagged as malicious at the moment of click.
For example, a dangerous link like http://malicioussite[.]com might appear as a legitimate Proofpoint URL such as https://urldefense[.]proofpoint[.]com/.... According to Cloudflare, recipients are more likely to click on such “trusted” domains, dramatically increasing the success rate of phishing campaigns.
“Attackers are not just targeting users — they’re manipulating the very systems meant to protect them.”
— Bashar Bashaireh, AVP Middle East, Türkiye & North Africa, Cloudflare
The impacts are wide-ranging:
- Financial loss — FTC data shows email was the contact method in 25% of fraud reports in 2024, totalling $502 million in losses.
- Identity theft — Phishing remains a key driver of over 1.1 million identity theft cases annually.
- Operational burden — Victims spend an average of 676 days resolving tax-related identity theft cases.
- Breach entry point — Comcast research indicates 67% of breaches begin with someone clicking a seemingly safe link.
- Credential theft — Picus Security recorded a 300% spike in incidents in 2024, partly due to more effective phishing methods.
Cloudflare warns that because these campaigns exploit the domains of trusted vendors, conventional reputation-based URL filtering fails to detect them. To counter the threat, Cloudflare has deployed targeted detections powered by historical campaign analysis and machine learning, including:
SentimentCM.HR.Self_Send.Link_Wrapper.URLSentimentCM.Voicemail.Subject.URL_Wrapper.Attachment
“Threat actors are constantly evolving their tactics to exploit even the most trusted layers of email security,” said Bashaireh. “Cloudflare’s mission is to close these blind spots with proactive, AI-driven detection and full visibility across the email attack surface.”
