Cybersecurity researchers have uncovered a new phishing method that uses multi-layer URL redirects to steal Microsoft 365 login credentials — bypassing traditional security systems by exploiting trusted link-wrapping services like Proofpoint and Intermedia.

Abusing Protective Link-Wrapping

Typically, services like Proofpoint’s URL Defense wrap and scan links in emails to block known threats. However, attackers have discovered a workaround: if a malicious link hasn’t been flagged yet, the email can pass through undetected.

These phishing attempts often originate from compromised internal email accounts, allowing attackers to send malicious links that are automatically rewritten using the organization’s own email security tools (e.g., urldefense.proofpoint[.]com/v2/url?...), making them appear trustworthy.

Multi-Tiered Redirect Chains

Cloudflare researchers observed that threat actors are now layering redirects. First, they shorten a malicious URL using a service like Bitly. Then, they send the shortened link through a Proofpoint-secured email account, causing the system to apply a second redirect.

This creates a chain of obfuscation:

Bitly → Proofpoint URL Defense → Phishing Page

The multiple redirections make it harder for email filters and users to detect suspicious behavior — increasing the success rate of these phishing attacks.

Phishing Lures: Voicemails, Documents, and Teams Notifications

In recent campaigns, attackers disguise their emails as:

• Voicemail alerts: Asking users to click a link to “listen” to a message.
• Document notifications: Pretending to be files shared via Microsoft Teams.
• Unread message alerts: Claiming the recipient has pending messages in Teams, prompting them to “Reply in Teams.”

All of these tactics redirect the user to fake Microsoft 365 login pages, designed to harvest their credentials.

Leveraging SVG Files in Phishing

At the same time, phishing campaigns are increasingly using SVG (Scalable Vector Graphics) files to bypass security. Unlike traditional image formats, SVGs are written in XML and can embed JavaScript, HTML, and clickable links — making them powerful tools for delivering hidden malware or triggering credential theft.

Fake Zoom Invites Add to the Threat

Another trend involves embedding fake Zoom meeting invitations. These links take users to a fake “Zoom interface,” display a fake error like “Meeting connection timed out,” and then redirect them to a credential-stealing page.

According to Cofense, once a victim attempts to “rejoin” the meeting, their credentials, IP address, location, and other metadata are exfiltrated — often via Telegram, an encrypted messaging app favored by cybercriminals for its anonymity.

Stay Vigilant Against Multi-Layered Threats

As phishing attacks evolve, they’re increasingly relying on legitimate tools and trust-based systems to avoid detection. At [Your Company Name], we help organizations monitor these tactics and implement proactive defenses across all layers of communication.

Need to strengthen your email protection or threat detection strategy?
Contact us to learn how our cybersecurity experts can help secure your infrastructure.

Source: https://thehackernews.com/2025/07/experts-detect-multi-layer-redirect.html