REQUEST A DEMO
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Analysis of recent phishing campaigns reveals a shift in attacker tactics. As modern security systems improve at detecting traditional phishing emails, threat actors are increasingly abusing link-wrapping services and trusted infrastructure to bypass filters and deliver their campaigns. Link-wrapping conceals malicious URLs behind redirects, making the initial link appear trustworthy because it is routed through a legitimate service. Compromised infrastructure further strengthens these attacks, allowing adversaries to send phishing from real accounts associated with trusted brands and evade most reputation-based security measures. Together, these trends show that phishing is no longer limited to suspicious domains or poorly crafted lures, but is evolving into attacks that blend into legitimate business workflows.
Attackers have abused link-wrapping services from Proofpoint and Intermedia to disguise malicious destinations leading to Microsoft 365 phishing portals. Both services are designed to rewrite links in emails to trusted domains and route them through scanning servers, which should block malicious targets.In this campaign, adversaries compromised Proofpoint- and Intermedia-protected accounts to distribute links that appeared legitimate. The attackers first shortened the malicious URLs, which were then automatically wrapped by the protection service when sent from the compromised accounts, making the final phishing links appear to originate from trusted infrastructure. Victims received lures such as voicemail alerts, Zix secure message notifications, or fake Microsoft Teams messages, all of which redirected through the wrapping service to a phishing site. At the end of the chain, the pages impersonated Microsoft 365 login portals and harvested credentials. By piggybacking on trusted security infrastructure, the attackers increased their ability to bypass filters and lower suspicion among recipients.
Cisco Safe Links, a feature of Cisco’s Secure Email Gateway and Web Security suite, has been abused to disguise malicious destinations behind Cisco-owned infrastructure. Safe Links is intended to protect users by rewriting URLs so that clicks route through Cisco’s scanning systems at secure-web[.]cisco[.]com. In these campaigns, adversaries found ways to generate legitimate Safe Links for phishing purposes, including the use of compromised accounts inside Cisco-protected organizations, abusing cloud services that send email through Cisco environments, and recycling Safe Links created in earlier campaigns. The resulting links appeared to originate from Cisco infrastructure and carried the implicit trust of Cisco’s security brand, allowing them to bypass filters and reduce user suspicion. Victims were lured with professional-looking messages such as document review requests that redirected through Cisco’s scanning domain before landing on credential harvesting portals.
A Gmail campaign used prompt injection to deceive both users and Gmail’s AI assistant. The phishing emails began with a link that first routed through Microsoft Dynamics, giving the message a trustworthy hop and allowing it to bypass initial scrutiny. The visible content warned that the recipient’s Gmail password was about to expire and urged them to confirm credentials. Hidden in the HTML were prompt injection instructions written in zero size white text, invisible to humans but processed by the Gemini assistant when asked to summarize the email. Instead of identifying the malicious link, the model was diverted into reasoning loops and irrelevant outputs, such as fabricated compromise warnings or directions to call attacker-controlled numbers. This attack shows how attackers can use legitimate services and hidden instructions together to bypass security filters and conduct prompt-injection attacks against LLMs.
Taken together, these cases demonstrate how link-wrapping abuse undermines core assumptions about trust in redirect services. By embedding malicious destinations inside Microsoft, Cisco, or Google-controlled links, attackers erode the value of domain reputation and exploit brand trust to reduce suspicion. These campaigns show that defenders cannot rely on the initial domain as a measure of safety and must instead inspect full redirect chains, validate final destinations, and adapt detection strategies to account for attackers’ ability to manipulate both automated filtering and AI-driven tools.
Attackers have abused Microsoft 365 Direct Send, a feature in Exchange Online that lets devices and applications send email within a tenant without authentication. By knowing a tenant’s smart host address and a valid recipient, threat actors can spoof internal users and deliver phishing emails without ever logging in. These messages are routed through Microsoft infrastructure and often appear as internal traffic, allowing them to bypass SPF, DKIM, DMARC, and many third-party filters. In recent campaigns, victims received voicemail-style lures with PDF attachments containing QR codes that linked to phishing portals harvesting Microsoft 365 credentials. Direct Send abuse shows how a legitimate feature can be weaponized to mimic trusted internal communication, making it critical for organizations to monitor smart host usage and detect anomalous activity that appears to originate from inside the tenant.
Attackers have hijacked corporate subdomains of major organizations, including Bose, Panasonic, and the US Centers for Disease Control and Prevention, by exploiting abandoned cloud resources linked to misconfigured DNS CNAME records. When an organization decommissions a cloud service but leaves the DNS entry active, the subdomain becomes vulnerable to takeover. The threat group Hazy Hawk has registered these dangling resources, gaining control of legitimate-looking subdomains that inherit the trust of the parent brand. Once hijacked, the subdomains are used to host phishing portals, malware, or scams such as fake antivirus alerts and tech support fraud. As the domains belong to trusted organizations, reputation-based defenses often fail, and victims are more likely to engage. These campaigns show how administrative oversight in DNS management can directly translate into high-impact phishing.
Zoom Events has been abused to distribute phishing and malware by sending messages directly from noreply-zoomevents@zoom[.]us. These emails are cryptographically signed with valid SPF, DKIM, and DMARC records, which makes them appear legitimate and allows them to bypass security filters. Victims receive event invitations or notifications that include links to docs.zoom.us, which then redirect to adversary-in-the-middle credential phishing portals or to malicious downloads such as a renamed ScreenConnect executable. The campaigns often use professional branding, urgent subject lines, and fake verification steps to pressure recipients into engaging. The trust created by Zoom’s infrastructure and event workflow makes these emails difficult for both users and automated defenses to distinguish from genuine communication. This abuse shows how attackers can weaponize collaboration platforms to embed phishing in trusted business processes.
Threat actors conducted a large-scale phishing campaign by abusing Google Classroom to distribute more than 115,000 malicious emails targeting over 13,500 organizations worldwide. The operation unfolded in five waves over a single week and relied on fake classrooms created by the attackers. Invitations were sent from the legitimate no-reply@classroom.google[.]com address, which gave the emails the appearance of authenticity and allowed them to bypass security filters. Instead of educational material, the invitations contained commercial lures such as offers for SEO optimization or product reselling. Recipients were urged to continue the conversation over WhatsApp, shifting the interaction to an unmonitored channel where the attackers could carry out fraud.
Collectively, these campaigns show that compromised infrastructure and hijacked accounts let phishing appear as legitimate communication. Attackers exploit trusted tenants, subdomains, and SaaS platforms to bypass traditional defenses and take advantage of brand reputation to deceive users. Email security systems must take into account all indicators before determining if an email is malicious. Relying solely on the reputation of sender email addresses is no longer a viable method to mitigate phishing. The number of emails originating from legitimate infrastructure is going to increase as more threat actors realize the current limitations of email security.
RaccoonO365 is a Phishing-as a-Service (PhaaS) operation that combines the techniques seen in both link wrapping and compromised infrastructure campaigns. The service relies on the Postman Mailer tool to send phishing emails through compromised Microsoft 365 tenants. Since these messages originate from Microsoft infrastructure, they bypass authentication checks such as SPF and DKIM and appear legitimate to recipients. The emails often carry PDF attachments that instruct the recipient to open a link through the lnk[.]ie shortening service. The shortened address conceals the true destination until it is clicked, helping the phishing page evade filtering and reputation checks.
Each compromised Microsoft 365 account contributes to the overall growth of the platform. Contacts within victim tenants are harvested and converted into lead lists that are reused across future campaigns. Compromised accounts are also volunteered into the Postman Mailer, where they become part of the sending infrastructure for other affiliates. This creates a feedback loop where every phishing victim generates both new targets and new delivery infrastructure, strengthening the platform over time. In practice, all subscribers function as collaborators, sharing and expanding a common pool of compromised accounts that improves overall campaign effectiveness.
RaccoonO365 shows how phishing has shifted from isolated campaigns to large PhaaS models built on legitimate infrastructure. By abusing Microsoft email sending infrastructure and using link obfuscation, affiliates achieve high delivery rates and credibility that are difficult to detect or block. Each new victim strengthens the ecosystem, making the platform a persistent and scalable threat to enterprise environments. The threat landscape is likely to see more operations combining the tactics of malicious link obfuscation and the use of legitimate infrastucure to send phishing emails as there is no catch-all solution to detecting these emails. Currently, organizations must rely on existing security tools and human judgement, both of which have been consistently bypassed by threat actors.
The campaigns outlined in this report demonstrate that phishing is becoming more advanced and realistic by using trusted infrastructure to bypass defenses. Traditional filtering and domain reputation checks are no longer enough when malicious links are wrapped in Microsoft or Cisco redirects, or when phishing is sent from real Microsoft 365 tenants or partner email accounts. Organizations need to implement security systems that can unwrap and analyze redirect chains and monitor for unusual account activity. More importantly, these threats require more robust user education. Employees must be trained to recognize social engineering, understand that even links delivered by trusted services or people may be malicious, and know how to validate the legitimacy of emails before responding. Phishing will continue to evolve by blending into legitimate workflows, and only a combination of stronger defenses and informed users will reduce the risk of compromise.