Attackers are exploiting link wrapping services from companies like Proofpoint and Intermedia to mask malicious URLs that lead to Microsoft 365 phishing pages. By compromising protected email accounts, the threat actor is able to disguise harmful links in phishing campaigns, thus increasing the likelihood of credential theft from victims.