Microsoft Outlook, Office 365 passwords leaked in a massive data breach

A new phishing campaign has raised concerns over the security of Microsoft Outlook and Office 365 accounts. Threat actors have been leveraging trusted link-wrapping services to distribute malicious URLs that redirect users to credential-harvesting pages, leading to the theft of Microsoft login information.

The attackers exploited email security tools from cybersecurity provider Proofpoint and cloud communications firm Intermedia between June and July. These platforms include link-wrapping features that rewrite URLs with trusted domains and scan them for malicious content. However, in this campaign, compromised accounts were used to wrap and send already malicious links, bypassing traditional email filters.

According to Cloudflare’s Email Security team, the attackers gained access to Proofpoint and Intermedia-protected email accounts and used them to send phishing emails containing “laundered” links. These links appeared legitimate due to the wrapping and redirection process.

“Attackers abused Proofpoint link wrapping in a variety of ways, including multi-tiered redirect abuse with URL shorteners via compromised accounts,” Cloudflare researchers explained. “The Intermedia link wrapping abuse we observed also focused on gaining unauthorized access to email accounts protected by link wrapping.”

Also read: Tools to check password breach

The phishing emails often impersonated common business tools. Some messages mimicked Microsoft Teams notifications, claiming the recipient had received a new message. Others were disguised as voicemail alerts or secure message prompts. The links within these emails, once clicked, led to Microsoft 365 phishing pages designed to steal credentials.

In one observed tactic, the attackers used a shortened URL first, which was then automatically wrapped by a compromised account’s security platform. This multi-layered obfuscation helped bypass user suspicion and automated security tools.

Security implications

This campaign highlights a growing threat vector: abusing legitimate email security features to carry out phishing attacks. By hiding behind trusted domains and using real services like Constant Contact to host phishing pages, attackers were able to increase the success rate of their operations.

While it is unclear how many users were affected, the breach underscores the need for multi-factor authentication and regular monitoring of login activity. Enterprises using Microsoft Outlook and Office 365 should review email security configurations and educate users about advanced phishing tactics.