Hackers Are Stealing Microsoft 365 Accounts via Link-Wrapping Attacks

Cybercriminals are actively targeting Microsoft 365 users by abusing link-wrapping services to launch phishing campaigns. In this new tactic, attackers create convincing emails that redirect recipients to fake login pages designed to steal credentials. This phishing method has been active for months and is particularly effective because it exploits users’ trust in security services.

How Hackers Exploit Link-Wrapping Services in Microsoft 365 Attacks

Link-wrapping services like Proofpoint’s URL Defense are meant to protect users by rewriting every email link to pass through a secure gateway. However, hackers are using this process to their advantage. Since the rewritten links appear to come from a trusted source, recipients are more likely to click without hesitation. Once clicked, these links lead to fraudulent Microsoft 365 sign-in pages, where attackers harvest usernames and passwords.

Why This Microsoft 365 Phishing Method Works

The success of this campaign lies in its use of familiarity and urgency. Victims see a secure-looking link from a recognized email protection service, making the phishing email appear authentic. Cloudflare researchers report that these campaigns have been active for at least two months, showing that attackers are achieving results. Once credentials are stolen, hackers gain access to sensitive emails, files, and potentially corporate networks.

How to Protect Your Microsoft 365 Account from Phishing Attacks

To stay safe from these phishing campaigns, users and businesses should implement multi-factor authentication (MFA) on all Microsoft 365 accounts. Regularly training employees to identify suspicious emails, even those with seemingly legitimate links, is essential. Additionally, monitoring for unusual login activity and using AI-powered email threat detection can help reduce exposure to link-wrapping attacks.