Weaponizing Trust: Phishing Campaigns and Malware Delivery via Link Wrapping and Cloudflare Tunnels

Overview

From June through July 2025, researchers observed two coordinated campaigns leveraging trusted services—namely Proofpoint, Intermedia, and Cloudflare Tunnels—to deliver phishing payloads and remote access trojans (RATs) like AsyncRAT and XWorm. These campaigns demonstrate a growing trend among cybercriminals to exploit legitimate cloud and security platforms to scale their operations and avoid detection.

Abuse of Link Wrapping Services

Link wrapping services like those offered by Proofpoint and Intermedia are intended to scan and protect users from malicious links. However, attackers have found ways to subvert these defenses. By compromising email accounts within organizations that use these services, threat actors can automatically wrap their phishing links with trusted URLs such as urldefense.proofpoint[.]com or url.emailprotection[.]com. This tactic increases the likelihood that recipients will click through, mistaking the link as legitimate.

A multi-tier redirection approach is also used, where attackers first shorten a URL via services like Bitly, then send it from a Proofpoint-protected account. The result is a redirection chain that bypasses traditional email security filters and ultimately leads the user to a Microsoft 365 phishing page. These emails often impersonate voicemail alerts, Teams notifications, or document delivery prompts.

Abuse of Cloudflare Tunnels for Malware Delivery

In parallel, another campaign leverages the "TryCloudflare" tunnel service to deliver malware, notably AsyncRAT and XWorm. This service allows users to generate temporary domains without authentication, making it ideal for ephemeral malware delivery infrastructure.

The infection chain starts with a phishing email that includes a URL or ZIP attachment containing a .URL file. This points to a remote LNK or VBS script hosted on a Cloudflare Tunnel. When executed, it triggers CMD or BAT scripts that download Python installers and scripts which ultimately install RATs. These payloads are staged using protocols like WebDAV or SMB and often display a decoy PDF to distract the victim.

Operational Impact

These techniques represent a low-cost, high-impact approach to cybercrime. By abusing trusted domains and services, attackers are increasing their success rates while reducing exposure. The use of link wrapping in phishing contributes to rising credential theft incidents—Picus Security reported a 300% increase in such cases in 2024. Meanwhile, Cloudflare Tunnel abuse enables scalable and temporary malware infrastructure that's difficult to detect or block.

Financial losses and identity theft remain key consequences. Fraud initiated through phishing emails caused over $500 million in damages in 2024 alone, with victims often facing months-long remediation. Furthermore, the layering of obfuscation and the use of legitimate cloud services complicate forensic analysis and threat response.

Detection and Mitigation

Traditional URL filtering proves ineffective when malicious links are cloaked under trusted domains. Cloudflare has introduced specific detection signatures for emails abusing link wrapping techniques, such as:

• SentimentCM.HR.Self_Send.Link_Wrapper.URL

• SentimentCM.Voicemail.Subject.URL_Wrapper.Attachment

Defenders are encouraged to monitor outbound connections to domains like *.trycloudflare.com, especially when initiated by system processes or unusual binaries. Applying context-aware traffic baselining, restricting Python usage, and hardening script execution policies are also effective.

Organizations should also limit access to external file sharing services and disable unnecessary scripting environments unless required for specific job functions. A layered security model with behavioral detection, user awareness, and strict email hygiene policies remains essential to mitigate these evolving threats.

Conclusion

The abuse of trusted platforms like Proofpoint, Intermedia, and Cloudflare by cybercriminals reflects a strategic shift in phishing and malware campaigns. By hijacking tools originally designed to secure users, threat actors not only boost the success rates of their attacks but also make detection significantly harder. As adversaries continue to evolve their techniques, defenders must enhance visibility, adopt behavior-based detections, and ensure robust user education to combat this new wave of trust-based attacks.

Resources: https://thehackernews.com/2025/07/experts-detect-multi-layer-redirect.html https://www.cloudflare.com/en-gb/threat-intelligence/research/report/attackers-abusing-proofpoint-intermedia-link-wrapping-to-deliver-phishing-payloads/ https://www.proofpoint.com/us/blog/threat-insight/threat-actor-abuses-cloudflare-tunnels-deliver-rats