Hackers Target Cybersecurity Firm Outpost24 in 7-Stage Phish
Summary
Outpost24’s threat-intel team detected a sophisticated phishing campaign aimed at a C-level executive that used a seven-stage redirect chain to deliver a Microsoft Office credential-phishing page. The attackers laundered links through trusted services and domains — including Amazon SES with a valid DKIM signature, Cisco link-vetting, Nylas link tracking, a compromised vendor-hosted PDF, a re-registered long-standing domain, and a Cloudflare-protected final host — and used anti-bot/human-validation checks so the malicious page only appeared to real users. Analysts linked the kit to the Kratos phishing-as-a-service product but could not attribute the operation to a specific threat group before infrastructure was taken down.
Key Points
- Target: a C-suite executive at Outpost24; the lure mimicked a credible JP Morgan financial communication and appeared in an active email thread.
- Attack chain: seven redirect hops using legitimate services (Amazon SES/DKIM, Cisco, Nylas) plus compromised or re-registered domains to evade filters.
- Anti-bot/human validation prevented automated scanners from seeing the payload, increasing the chance of successful credential harvesting.
- Evidence points to the Kratos phishing-as-a-service kit, showing how commoditised tooling enables complex campaigns.
- Security vendors are high-value targets because their credentials and channels are widely trusted across customer environments.
- Defensive takeaway: layered defences, zero-trust access controls and human-risk management are essential — no single control will stop laundered phishing chains.
Context and Relevance
This episode underscores a broader trend: attackers increasingly ‘launder’ phishing infrastructure through chains of reputable services and long-established domains to bypass detection. For teams responsible for identity, supplier risk or email security, it highlights that vendor trust is itself an attack vector. Compromising a security provider or its executives can amplify impact across many customers, so organisations need to rethink vendor access, implement zero-trust controls and combine automated detection with human-focused defences.
Why should I read this
Short and sharp: this is a clever, worrying phish that slipped past automated defences and targeted a security firm — meaning the fallout could be wide. If you look after identity, vendor risk, or email defences, the article saves you time by laying out the chain, the tooling (Kratos), and practical lessons on why layered, human-aware controls matter.