A C-level executive at Swedish exposure management and identity security firm Outpost24 was targeted in a sophisticated phishing attack, according to SecurityWeek’s coverage. The attackers employed a DKIM-signed email, trusted redirect infrastructure, compromised servers, and Cloudflare-protected phishing pages in a seven-step campaign designed to evade detection. The phishing message, impersonating JP Morgan, appeared to be part of an existing email thread and requested the recipient to review and sign a document.
Two DKIM signatures were used to help the email pass DMARC authentication, and a link within the message pointed to Cisco’s secure-web.cisco[.]com, with the redirect hosted on Cisco infrastructure to aid deception. The target was redirected through legitimate services such as Cisco and Nylas before reaching phishing infrastructure behind Cloudflare, culminating in a convincing page to harvest Microsoft 365 credentials, with genuine-looking login validation scenes.
The firm confirmed to SecurityWeek that the individual targeted was a C-level executive at its parent company Outpost24, and Specops notes that the modus operandi aligns with Iran-linked threat actor patterns, though attribution remains unresolved.