HACKERS targeted Outpost24, a cybersecurity firm, with a seven-stage phishing campaign aimed at a C-suite executive and designed to bypass multiple layers of enterprise email security without triggering alerts. Researchers from Outpost24’s threat intelligence unit analyzed the attack, which leveraged the reputations of Cisco and JP Morgan to build credibility, including a DKIM-signed message thought to be part of an ongoing thread.
The chain used Cisco Secure Web infrastructure for redirects, then passed victims to a Nylas link-tracking stage, and finally to a credential-harvesting page hosted behind compromised infrastructure and Cloudflare to hinder blocking. Investigators noted anti-bot and human-validation services were employed to defeat automated tools, and a phishing-as-a-service kit called Kratos was reportedly used, with links to the Kratos Phishing Kit identified in the encrypted kit obtained by Outpost24.
According to Dark Reading, the attackers did not allow attribution to a specific threat group, but the techniques align with phishing-as-a-service operations used to target security vendors and their customers.