CloudFlare Warns Of Alarming Link-Wrapping Exploit To Steal Microsoft 365 Logins
Before we delve into the nature of these attacks, it's good to understand link wrapping features. These features are designed to shield email users from phishing attacks (ransomware gangs use this a lot). They protect users by rewriting URLS and passing them through some scanning servers. So if an email user clicks on a rewritten URL, the security system will go ahead of the user and scrutinize the intended destination of the URL. If the destination is safe, it will allow entry; however, if it leads to a malicious destination, it displays a warning message on the screen and blocks access.
Well, hackers are now using sophisticated tactics to circumvent these link protection features, making their phishing links appear legitimate to users.
At least two separate phishing email campaigns are deploying the aforementioned tactic. In one of these attacks, hackers trick Microsoft Office 365 users into clicking a malicious link to open a document. If a user falls for this subterfuge, the link will redirect a couple of times and ultimately land the victim on a fake Microsoft Office 365 login page. This fraudulent page is where hackers exfiltrate a victim's username and password.
In the second attack, hackers create fake email messages with a 'Go to file' button and a link already processed with an abused link protection service. If users click this button, they are redirected to a fake Microsoft login page where their login credentials will be harvested.
Cloudflare is encouraging Microsoft users to remain vigilant and wary of these attacks. To protect yourself, it's better to hover over any link to confirm its destination before clicking. Beyond this, it's always good to verify the sender's email address and ensure it's legitimate. Also, it's worth noting that any email that creates a sense of urgency or pressures you into clicking a link is likely a scam. Stay vigilant!
