Do you know what they did (assuming not nothing) to have browsers continue to enforce the same-origin policy, and block www.terriblesecuritycompanyname.com/evilhacker.com from accessing cookies that belong to www.terriblesecuritycompanyname.com/owa.office365.com?
I haven't looked into it that deeply to see how (whether) they're handling same origin or cookie access. I assume they're doing some kind of magic other than just rewriting the URLs.
If you haven't been involved with enterprise information security you'd be surprised by how intrusive and poorly conceived these services are in a lot of cases. Tavis Ormandy and others have famously found many AV products to be running un-sandboxed untrusted javascript in kernel mode. In line web proxies have been found to do things like sign untrusted or revoked certs with a trusted root cert.
It's all pretty much a big grift to capitalize on companies' rightful cyber security fears.
Do you know what they did (assuming not nothing) to have browsers continue to enforce the same-origin policy, and block www.terriblesecuritycompanyname.com/evilhacker.com from accessing cookies that belong to www.terriblesecuritycompanyname.com/owa.office365.com?