Security organizations routinely face the same threats they help mitigate for their clients. A recent phishing campaign directed at a C-level executive at the security firm Outpost24 illustrates this reality. The operation was engineered to bypass multiple layers of enterprise email security without triggering automated alerts.
Outpost24's threat intelligence unit identified and neutralized the threat before any unauthorized access occurred. Their analysis revealed a complex seven-stage redirect sequence that leveraged the reputation of established brands like Cisco and JP Morgan, ultimately leading to a Microsoft Office credential collection page.
A 7-stage redirect sequence
The initial lure, detailed by Outpost24 subsidiary Specops Software, presented itself as a financial communication from JP Morgan. Threat actors formatted the message to appear as part of an ongoing email thread to establish credibility. The message included a valid DomainKeys Identified Mail (DKIM) signature associated with Amazon Simple Email Service (SES) infrastructure (em.37nmtc.com), allowing it to pass initial authentication checks and appear legitimate to Microsoft 365 mail protection systems.
The message contained a "Review Document" link pointing to a legitimate Cisco domain (secure-web.cisco.com). This service is typically used for rewriting and vetting email links. By routing the request through Cisco Secure Web infrastructure, the threat actors gained a trusted redirect to the third stage of their sequence.
The third hop utilized Nylas (tracking.us.nylas.com), a legitimate API service for email synchronization and tracking. The actors abused a link tracking feature to forward the targeted user to what appeared to be a PDF document.
This document was hosted on the infrastructure of an Indian software development company that had experienced unauthorized access (infra.infratechcorpsolutionllp.com). The server returned a redirect instead of a file, sending the user to a fifth domain.
This fifth hop utilized a domain (www-0159.com) that had been registered for several years before expiring. The threat actors re-registered the domain to capitalize on its residual reputation, a technique that helps malicious infrastructure appear less suspicious to automated security systems compared to newly registered domains.
In the sixth stage, the operation utilized Cloudflare's anti-bot and human validation services on a new domain (tradixyu.cfd). This step was designed to block automated security scanners, sandbox environments, and analysis tools.
Only after completing the manual human validation check was the targeted user directed to the final stage: the credential phishing page.
Infrastructure sophistication and the Kratos kit
Hector Garcia, senior threat intel analyst at Outpost24, noted that while the lure itself was typical, the operation relied on a sophisticated phishing-as-a-service (PhaaS) framework known as the Kratos kit.
"Our threat intelligence team was able to obtain and analyze an encrypted version of the phishing kit along with its configuration. By mapping these artifacts against known samples, we confidently identified links to the Kratos Phishing Kit," Garcia says. "We were not able to attribute this activity to a specific threat group, particularly as the infrastructure was dismantled quickly. However, the techniques and tooling observed are consistent with phishing-as-a-service operations, which Outpost24 continuously tracks as part of its threat intelligence efforts."
Garcia emphasized that the use of trusted domains, legitimate services, and multilayered redirection demonstrates a deliberate effort to evade detection controls.
Managing vendor risk and trust layers
Security vendors are strategic targets because they are deeply integrated into client environments, and their infrastructure carries inherent trust. Mika Aalto, cofounder and CEO at Helsinki-based Hoxhunt, observed that threat actors often launder their phishing links through trusted services the same way financial criminals layer transactions to obscure origins.
Aalto pointed out that the campaign was explicitly designed to bypass automated screening tools and only display the final page to a human user, elevating the importance of human risk management. Organizations must implement layered defenses built around zero-trust principles to ensure that compromised credentials alone do not grant meaningful system access.
Darren Guccione, CEO and co-founder of Keeper Security, noted that these campaigns highlight a structural issue in how organizations evaluate vendor risk. Threat actors recognize that gaining access to a security provider's systems opens a trusted channel to other organizations.
"These types of campaigns expose a structural issue in how organizations think about vendor risk," Guccione says. "Traditionally, companies evaluated suppliers based on whether their products were secure or whether they met compliance standards. But modern [security incidents] show that the greater risk often lies in the access vendors are granted once their systems become integrated into everyday operations."