Thanks, @wfyann, for chiming in.
We did not recently enable that aspect of Wordfence. And we went back through our backups and found the link pointing to prweb.net/Redirect.aspx for a very long time.
Weird, huh?
During our investigation we have seen (but were unable to document) that the behavior of that redirect is different if they’ve seen you (or your IP address) before. Notably, after someone on your network has visited the link, subsequent visits just get redirected to the original destination. But the initial visit does seem to try offering a software install.
We’re set up to monitor the situation better now, so I’ll return here to add notes if we come up with anything.
