Security Firm Executive Targeted in Sophisticated Phishing Attack
A C-level executive at Swedish security firm Outpost24 was targeted in a sophisticated phishing attack using the Kratos phishing-as-a-service kit. The attack employed a seven-step infrastructure chain leveraging DKIM spoofing, trusted services (Cisco, Nylas, Cloudflare), and a compromised Indian development company domain to bypass email security controls and harvest Microsoft 365 credentials.
Summary
A C-level executive at Swedish security firm Outpost24 was targeted in a sophisticated phishing attack using the Kratos phishing-as-a-service kit. The attack employed a seven-step infrastructure chain leveraging DKIM spoofing, trusted services (Cisco, Nylas, Cloudflare), and a compromised Indian development company domain to bypass email security controls and harvest Microsoft 365 credentials.
Full text
A C-level executive at Swedish exposure management and identity security firm Outpost24 was targeted in a sophisticated phishing attack, the company’s subsidiary Specops Software reports. The attack, likely mounted with a recently identified phishing-as-a-service kit named Kratos, relied on a seven-step chain that leveraged layered infrastructure and legitimate services to evade detection and deceive the recipient. The phishing message, impersonating financial services provider JP Morgan, appeared as if part of an existing email thread to increase its sense of legitimacy, and invited the recipient to review and sign a document. Furthermore, the attackers used two DomainKeys Identified Mail (DKIM) signatures to ensure the email would pass DMARC authentication and appear trustworthy. Within the message, the attackers included a ‘review document’ link pointing to the legitimate Cisco domain secure-web.cisco.com, which is typically used for rewriting URLs in emails after they have been validated by Cisco. Because the link passed Cisco’s Secure Email Gateway validation, the redirect URL was hosted on Cisco’s infrastructure, further allowing the phishing email to bypass detection systems.Advertisement. Scroll to continue reading. The next step in the chain involved a redirection to the legitimate email API platform Nylas, which was likely used to ensure that the phishing link would redirect through Cisco Secure Web infrastructure. “By chaining redirects through legitimate services such as Cisco and Nylas, the attackers increase the likelihood that the link will pass security filtering and reputation checks. These domains are widely trusted and commonly observed in legitimate traffic, which makes automated blocking more difficult,” Specops notes. Next, the target was redirected to a subdomain on the website of a legitimate development company based in India, and then to a domain that was originally registered in 2017 by a Chinese entity. The domain’s previous TLS certificate expired on March 6, the associated DNS records were released shortly after, and the domain was re-registered on March 12, with several new TLS certificates issued for it the same day. “The timing strongly suggests the domain was reacquired and repurposed specifically for this campaign,” Specops notes. The user was redirected once again, this time to phishing infrastructure that was deployed behind Cloudflare to hide its origin server. At this stage, the victim was served a browser validation check, likely meant to prevent security analysis. Finally, the victim would be served a convincing phishing page meant to harvest Microsoft 365 credentials. “Like the rest of the attack chain, this step is also carefully constructed, from a fake loading animation imitating Outlook to a check that validates whether the user input is actually an email. As the final step, the site attempts a legitimate login to verify that the captured credentials are valid,” Specops explains. The cybersecurity firm confirmed to SecurityWeek that the individual targeted in this attack was a C-level executive at its parent company Outpost24, underlining the sophistication of the attack. Specops did not attribute the incident to a specific threat actor but noted that the modus operandi aligns perfectly with that of Iran-linked threat actors that recently targeted various entities in the US. On the other hand, the firm said, other hacking groups have been observed employing similar tactics, and attribution remains elusive. Related: Internet Infrastructure TLD .arpa Abused in Phishing Attacks Related: Tycoon 2FA Phishing Platform Dismantled in Global Takedown Related: LastPass Warns of New Phishing Campaign Related: ‘Stanley’ Malware Toolkit Enables Phishing via Website Spoofing Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Bold Security Emerges From Stealth With $40 Million in FundingGoogle Paid Out $17 Million in Bug Bounty Rewards in 2025Onyx Security Launches With $40 Million in FundingChrome 146 Update Patches Two Exploited Zero-DaysAlly WordPress Plugin Flaw Exposes Over 200,000 Websites to AttacksSplunk, Zoom Patch Severe VulnerabilitiesCisco Patches High-Severity IOS XR VulnerabilitiesCritical N8n Vulnerabilities Allowed Server Takeover Latest News Oracle EBS Hack: Only 4 Corporate Giants Still Silent on Potential ImpactChina-Linked Hackers Hit Asian Militaries in Patient Espionage OperationThreat Actor Targeting VPN Users in New Credential Theft CampaignForceMemo: Python Repositories Compromised in GlassWorm AftermathHacking Attempt Reported at Poland’s Nuclear Research CenterLoblaw Data Breach Impacts Customer InformationCritical HPE AOS-CX Vulnerability Allows Admin Password ResetsStarbucks Data Breach Impacts Employees Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Virtual Event: Supply Chain Security and Third-Party Risk Summit March 18, 2026 Join the event where top security experts unpack the biggest software supply chain risks. Register People on the MoveThe US Senate has confirmed Army Lt. Gen. Joshua Rudd to lead NSA and CYBERCOM.Business software company Rippling has appointed Adrian Ludwig as CSO.Orca Security has named Rachel Nislick as Chief Marketing Officer.More People On The MoveExpert Insights The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Flipboard Reddit Whatsapp Whatsapp Email
Indicators of Compromise
- malware — Kratos
- domain — secure-web.cisco.com