IT Strategy & Insights

Microsoft 365 Phishing via Link Wrappers

Microsoft 365 Phishing via Link Wrappers

Introduction

Cybercriminals are finding new ways to trick users and bypass security defenses. The latest technique gaining traction involves the exploitation of popular link wrapping services to run sophisticated phishing campaigns. Their ultimate target? Your Microsoft 365 credentials. These attacks are not only harder to detect but are also affecting individuals and businesses at an alarming rate.

What Are Link Wrappers?

Link wrapping services, such as those provided by FedEx, Google, and LinkedIn, are designed to track clicks and manage redirections in a marketing or analytics context. These platforms turn regular URLs into shorter, trackable links. But attackers have found a dangerous loophole.

By embedding malicious URLs inside these wrapped links, threat actors can mask phishing sites behind seemingly legitimate domains. Since these domains are widely trusted, endpoint protection tools often allow them through — giving attackers a substantial advantage.

How the Phishing Attack Works

The phishing campaign starts with what looks like a harmless email. These emails often claim to be from trusted services and typically contain a wrapped link. Here’s how it unfolds:

  • Step 1: The attacker sends an email with a link wrapped by a trusted platform (e.g., a Google link that redirects elsewhere).
  • Step 2: The user clicks the link, which goes through the legitimate domain before silently redirecting to a phishing site.
  • Step 3: The phishing site mimics a Microsoft 365 login page, prompting the user to enter credentials.
  • Step 4: Once the user submits the information, it’s immediately captured by the attacker.

The stealthy redirection process lets the phishing site bypass many email defense systems, web filters, and browser protections.

Popular Services Being Exploited

These campaigns are leveraging major online brands for their link wrapping services to gain trust and trick users. The most commonly abused platforms include:

  • Google AMP and Webcache: Google’s high reputation makes links starting with google.com/webcache or amp.google.com look legitimate.
  • FedEx: Using FedEx delivery update links to camouflage malicious redirects.
  • LinkedIn: Attackers use LinkedIn’s tracking redirection system to make phishing links appear professional.

Notably, most of these services were never intended for this use — but attackers are exploiting their trust factor.

The Ultimate Goal: Microsoft 365 Credentials

The endgame of these phishing attacks is to harvest login details for Microsoft 365 accounts. With so many organizations relying on Microsoft for email, storage, and business tools, gaining access offers cybercriminals a massive payoff — from stealing data to launching internal attacks or demanding ransom.

Why This Technique Is So Effective

  • Trusted Domains: Email security filters often allow domains like google.com or linkedin.com, making threats slip through unnoticed.
  • Realistic Pages: The phishing sites are highly convincing replicas of Microsoft 365 login pages.
  • Obfuscated URLs: Wrapped links hide the actual destination, making visual inspection fruitless for users.

How to Protect Against These Phishing Attacks

Organizations and individuals need to stay vigilant. Here are some best practices for minimizing risk:

  • Educate users: Train employees to hover over links and recognize suspicious redirects.
  • Use browser isolation tools: Open URLs in sandboxes when possible to limit execution of malicious content.
  • Implement advanced email gateways: Use filtering systems that inspect redirection paths, not just the visible link.
  • Enable multi-factor authentication (MFA): Even if credentials are stolen, MFA provides a second layer of defense.
  • Regularly monitor login activity: Keep an eye on unusual access patterns and failed sign-in attempts.

Final Thoughts

As phishing techniques evolve, it’s crucial for businesses and users to understand these smarter, more dangerous methods. Link-wrapping services were built for convenience and tracking, but in the wrong hands, they become stealthy tools of exploitation.

To stay ahead of these threats, don’t just rely on traditional filters or link scanners. Combine threat intelligence with continuous employee training and proactive monitoring. In today’s digital landscape, awareness is your first line of defense against Microsoft 365 phishing threats.

Move forward with Keystone IT Connect