Full Report
A threat actor has been abusing link wrapping services from reputed technology companies to mask malicious links leading to Microsoft 365 phishing pages that collect login credentials. [...]
Analysis Summary
# Tool/Technique: Link Wrapping Service Exploitation (Generic Phishing Mechanism)
## Overview
This describes a phishing technique where attackers abuse legitimate link-wrapping or email security services (such as Intermedia's service) to obscure malicious URLs, increasing the likelihood that security gateways will trust the communication. The ultimate goal is to direct victims to Microsoft 365 phishing pages to harvest credentials.
## Technical Details
- Type: Technique (Phishing/Delivery Mechanism)
- Platform: Email/Web-based (Targeting users accessing Microsoft 365)
- Capabilities: URL obfuscation, domain spoofing (via legitimate sender context), multi-tier redirection.
- First Seen: Recent development in phishing scene (as of article context).
## MITRE ATT&CK Mapping
Since this describes a specific delivery chain involving URL manipulation, it primarily falls under Initial Access and Defense Evasion.
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (While not an attachment, the delivery method is highly targeted email)
- T1566.002 - Spearphishing Link
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (The wrapping process acts as a form of obfuscation/trust manipulation)
## Functionality
### Core Capabilities
- **URL Obfuscation:** Utilizing trusted link-wrapping services (e.g., Intermedia) to hide the final malicious destination.
- **Social Engineering Lures:** Employing lures such as fake notifications for voicemail, secure messages ("Zix" secure message notification), or shared Microsoft Teams documents.
- **Multi-Tier Redirection:** Sometimes involving an initial URL shortener followed by being wrapped by the security service, and potentially redirecting through another legitimate service (e.g., Constant Contact) before hitting the final payload.
### Advanced Features
- **Trust Augmentation:** By routing the malicious link through a legitimate, trusted entity (the link wrapper), the attacker deceives security scanners and users into believing the link originated from a safer source.
- **Targeting Account Security:** Explicitly focused on gaining unauthorized access to email accounts protected by link-wrapping features.
## Indicators of Compromise
As this focuses on a *technique* leveraging third-party services, the indicators are highly contextual to the specific campaign instance.
- File Hashes: N/A (Focus is on delivery URL structure)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: URLs that employ link-wrapping services leading to credential harvesting pages designed to mimic Microsoft 365 login screens. (Actual URLs are not provided in the context, but campaign observation would reveal pattern abuses of services like `intermedia.net` or associated redirects).
- Behavioral Indicators: Users clicking links in legitimate-looking notifications (Teams, Zix) that redirect multiple times before presenting a Microsoft login form.
## Associated Threat Actors
The article snippet does not explicitly name a specific threat actor group for the **Intermedia link wrapping abuse**, but mentions generalized "threat actor(s)" using this methodology to gain unauthorized access to email accounts.
## Detection Methods
Detection focuses on analyzing the multi-step redirection chain and the final destination content.
- Signature-based detection: Rules targeting the specific URL patterns used by the link-wrapping service combined with known phishing domains.
- Behavioral detection: Monitoring for URL redirects where the initial URL belongs to a known security/wrapping service, but the final destination is a known credential harvester targeting common enterprise SSO pages (like M365).
- YARA rules: N/A (Focus is network/URL-based)
## Mitigation Strategies
Mitigation centers on reducing reliance on URL reputation alone and improving user awareness regarding multi-step links.
- Prevention measures: Configure email gateways to perform deep URL inspection, analyzing the entire redirect chain rather than trusting the first URL. Investigate and potentially restrict or tightly monitor outbound traffic from compromised accounts using these wrapping services.
- Hardening recommendations: Implement Multi-Factor Authentication (MFA) on all Microsoft 365 accounts, as credential harvesting alone will not grant full access. User training specifically focused on suspicious links embedded within seemingly legitimate notification emails.
## Related Tools/Techniques
- Generic URL Shorteners (T1189)
- Phishing Campaigns utilizing compromised legitimate accounts.
- Exploitation of legitimate cloud services for malware delivery.