A sophisticated malvertising campaign is abusing legitimate link-wrapping services from Proofpoint and Intermedia, combined with Microsoft’s own Active Directory Federation Services (ADFS) redirect logic, to seamlessly steal Microsoft 365 credentials and bypass multi-factor authentication (MFA). The attack chain, active since at least June 2025, exploits trust in vendor domains and Microsoft’s authentication flows to evade both automated scanners and human suspicion. Security researchers at Cloudflare, Push Security, and Proofpoint have all documented variants of this campaign, which has targeted thousands of organizations globally.
This latest threat arrives alongside two other significant developments: Microsoft Research’s unveiling of Project Ire, a large language model (LLM)–driven autonomous malware classification system, and a botched August update that disabled critical Windows recovery tools. Together, these events underscore a shifting security landscape where attackers weaponize trust, defenders turn to AI for scale, and operational resilience becomes paramount.
How the malvertising attack chain operates
The campaign’s success hinges on a multi-stage redirection chain that launders malicious URLs through trusted intermediaries, ultimately delivering victims to convincing phishing portals that capture credentials and session cookies. It begins not with email, but with malvertising: attackers purchase sponsored search ads or inject malicious ads onto legitimate websites. A user searching for “Office 365” might click a typo-squatted ad for “Office 265” and land on an initial redirect page.
From there, the link is passed through a legitimate URL-shortening service and then through a vendor wrapper such as Proofpoint’s URL Defense or Intermedia’s link protection. These wrappers are designed to rewrite URLs so that clicks route through a scanning engine, but in this campaign they serve to mask the final destination. Because the wrapper domain is trusted by email security tools and users alike, initial security scans often approve the click.
What follows is a cascade of redirects—at times five or more hops—through ad tracking domains, content delivery networks, and even legitimate Microsoft domains. In the most advanced variant, attackers create a Microsoft tenant with ADFS configured to redirect users to an attacker-controlled credential harvester while still displaying “office.com” or “outlook.office.com” in the browser’s address bar. This abuse of enterprise federation trust makes the login prompt look utterly legitimate.
Once the victim lands on the fake Microsoft 365 login page, the adversary-in-the-middle (AiTM) technique takes over. As detailed in Proofpoint’s April 2025 report, the phishing kit acts as a reverse proxy between the victim and the real Microsoft authentication service. When the user enters their username and password, those credentials are captured in real time. Then the attacker’s server forwards the MFA prompt to the victim, who enters the one-time code or approves the push notification. The attacker simultaneously captures the MFA token and, crucially, the session cookie issued after successful authentication. With that cookie, the attacker can access the account without triggering additional MFA challenges. Proofpoint notes that the Tycoon 2FA phishing-as-a-service platform is one of the prominent kits enabling this attack, complete with custom Entra ID branding and anti-debugging features like invisible Unicode characters and custom CAPTCHAs.
Why traditional defenses fail
The use of vendor link wrappers attacks a fundamental assumption: that rewritten URLs are safe. Security tools frequently stop inspecting after verifying the wrapper domain, and users are conditioned to trust links that display “urldefense.proofpoint.com.” Redirect chains further defeat sandbox environments that limit analysis to a single hop or time out after a few seconds. And the inclusion of legitimate Microsoft domains in the chain—sometimes via ADFS tenant redirects—means that even URL inspection at the endpoint may see only a known-good domain.
Cloudflare’s threat research team confirmed in July 2025 that attackers were actively abusing Proofpoint and Intermedia wrappers in multiple campaigns. Push Security published a detailed breakdown of how ADFS can be configured to direct users to attacker-controlled servers while maintaining a Microsoft domain in the URL. The technique effectively converts Microsoft’s own authentication infrastructure into a phishing vector.
Proofpoint’s dual role: exploited and detecting
Ironically, Proofpoint’s own advanced threat detection identified the campaign it was being used to fuel. According to the company’s blog, its Nexus AI detection stack flagged the attack based on unusual URL domains, unfamiliar sender patterns (for initial email-based lures), and suspicious behaviors like the reverse proxy’s real-time interception. Proofpoint also noted that it detected the campaign behind the defenses of six other email security vendors, including three Gartner Magic Quadrant Leaders. This suggests the attack’s sophistication routinely bypasses traditional secure email gateways.
For organizations relying on those vendors, the incident is a stark reminder that no single layer of defense is sufficient. Even when a vendor’s wrapper is abused, the same vendor’s detection stack may still catch the threat if given complete visibility. The challenge is that many organizations only see the cleaned link, not the full redirect chain it conceals.
Project Ire: Microsoft’s AI answer to malware classification
While the malvertising campaign exploits trust in existing infrastructure, Microsoft Research’s Project Ire aims to build new trust in autonomous analysis. Unveiled in mid-2025, Project Ire is a prototype that combines an LLM with traditional reverse-engineering tools—decompilers, control-flow analyzers, and binary frameworks—to autonomously classify malware without relying on signatures. It produces a human-readable “chain of evidence” explaining its verdict.
Early performance numbers are promising: precision reached 0.98 on public Windows driver datasets and 0.89 on more challenging real-world samples. However, recall dropped to as low as the mid-20% range on the hardest files that normally require manual review. This means Project Ire rarely sounds a false alarm, but it also misses a significant portion of novel, highly obfuscated threats. Microsoft researchers emphasize that the tool is designed to augment, not replace, skilled analysts. In operational settings, it could dramatically reduce triage backlogs for straightforward samples while escalating the truly unknown to humans.
Adoption carries risks. Adversaries can craft binaries specifically to confuse LLM reasoning or exploit dependencies on third-party tools like the angr framework. Microsoft cautions that autonomous blocking decisions require rigorous governance and human review thresholds. Still, Project Ire represents a major step toward scaling expert-level reverse engineering across enterprise SOCs.
The botched August update: a recovery toolkit crisis
In parallel, Microsoft faced an operational crisis when its August 2025 cumulative updates broke critical recovery features. The initial rollout, KB5063875, caused SSD disappearance and data loss on some systems and disabled the “Reset this PC” and “Fix problems using Windows Update” functions on both Windows 10 and Windows 11. For IT teams, the loss of built-in recovery tools is a dire complication: these functions serve as a last resort for troubleshooting persistent issues or remediating compromised endpoints without full reimaging.
Microsoft issued out-of-band fixes on August 28: KB5066189 for Windows 11 and KB5066188 for Windows 10. These optional cumulative updates replace the problematic KB5063875 and restore recovery functionality. Administrators are strongly advised to test and deploy the OOB patches immediately, bypassing the original update.
The episode reinforces the importance of phased rollouts and pre-deployment testing, especially for updates that affect system recovery paths. Many organizations do not regularly test “Reset this PC” in their patch QA cycles, making regressions like this particularly dangerous.
Defensive actions to take now
The convergence of these threats demands a multi-layered response. Here are prioritized steps for Windows admins and security teams:
Immediate hardening
- Enforce Conditional Access policies: Require device compliance and location checks for all sensitive Microsoft 365 sign-ins.
- Shorten token lifetimes and disable fallback MFA methods (SMS, voice) for privileged accounts to limit the window of session cookie abuse.
- Deploy the OOB patches: Remove KB5063875 and install KB5066189 (Windows 11) or KB5066188 (Windows 10) after testing on a small cohort.
- Revoke sessions and force password resets for any account suspected of compromise, then verify MFA enrollment and review sign-in logs for anomalous IPs.
Detection and monitoring
- Hunt for redirect chain abuse in SIEM logs: look for clicks involving wrapper domains (urldefense.proofpoint.com, Intermedia wrappers) followed by rapid outbound redirects to unfamiliar domains.
- Monitor ADFS and Entra ID logs for unusual tenant registrations or sign-in events involving unexpected redirect parameters.
- Enable full URL inspection in your security tools to scan beyond the first hop; consider browser isolation for high-risk users to prevent local execution of multi-hop redirects.
Configuration and process changes
- Disable legacy ADFS where possible and migrate to Microsoft Entra ID with modern conditional access. If ADFS must remain, implement strict monitoring for suspicious redirect configurations.
- Update incident playbooks to include AiTM-specific response steps: immediate session revocation, token invalidation, and credential resets.
- Educate users about the new malvertising tactics: instruct them to be skeptical of unexpected voicemail, Teams, or “shared document” links, even when wrapped by a familiar vendor.
AI governance groundwork
- Pilot Project Ire in an observability-only mode initially; define clear thresholds for when its verdicts can trigger automated actions.
- Audit and log all autonomous decisions to maintain a reviewable chain of evidence, aligning with Project Ire’s own design philosophy.
The bigger picture: trust, speed, and resilience
The week’s incidents paint a clear picture: attackers are systematically weaponizing the very features defenders rely on to establish trust. Link wrappers, federation protocols, and even recovery tools become attack surfaces when left unmonitored. At the same time, tools like Project Ire offer a glimpse of a future where AI can match the speed and scale of automated threats—provided it is deployed with human oversight.
For IT teams, the message is urgent and practical. Assume that your users will encounter phishing through ads and search results, not just email. Assume that legitimate vendor domains will be exploited. And assume that any autonomous detection system, no matter how precise, can be fooled. The path forward combines rigorous operations—short token lifetimes, phased patch management, and deep URL inspection—with smart adoption of AI augmentation. The balance of power can shift, but only if defenders refuse to let trust become a vulnerability.