Hackers Target Cybersecurity Firm Outpost24 in 7-Stage Phish - Dark Reading

THREAT INTELLIGENCE CYBER RISK VULNERABILITIES & THREATS CYBERATTACKS & DATA BREACHES NEWS Hackers Target Cybersecurity Firm Outpost24 in 7-Stage Phish In an unsuccessful phishing attack, threat actors leveraged trusted brands and domains to try to redirect a C-suite executive at Outpost24 to give up his credentials. Jai Vijayan,Contributing Writer March 17, 2026 5 Min Read SOURCE: TADAMICHI VIA SHUTTERSTOCK Cybersecurity companies are not immune from the same kind of attacks they help their customers defend against — but a successful compromise could have big consequences for their customers in ways that other hacks don't. A recent example of attackers targeting security vendors is a phishing attack aimed at a C-level executive at security firm Outpost24 that was engineered to bypass multiple layers of enterprise email security without triggering a single alert.  Researchers at Outpost24's threat intelligence unit analyzed the attack after detecting it before it could cause damage. They found the campaign leveraging the reputations of brands like Cisco and JP Morgan to build a complex seven-stage redirect chain that led to a Microsoft Office credential phishing page. A 7-Stage Cyberattack Chain The phishing lure itself arrived in the form of what Outpost24 subsidiary Specops Software described in a recent blog post as a "very convincing" financial communication from JP Morgan directed at the targeted C-suite individual. To add credibility, the attackers presented the phishing email like it was part of an ongoing and active email thread. The email had a valid DomainKeys Identified Mail (DKIM) signature associated with Amazon Simple Email Service infrastructure, meaning it passed authentication checks and appeared legitimate to Outpost24's email security systems.  Related:Less Lucrative Ransomware Market Makes Attackers Alter Methods A link attached to a "Review Document" option on the phishing page pointed to a legitimate Cisco domain for rewriting and vetting links in emails, lending further credibility to the redirect. Outpost24 researchers found that when they clicked on the link, a request was sent to Cisco Secure Web infrastructure, which responded with a redirect to the third stage of the attack chain.  This third hop was Nylas, a legitimate API service for email synchronization, tracking, and automation. The attacker used a Nylas link tracking and redirection feature to once again send the victim to the next stage of the attack, which appeared to be a PDF document hosted on the compromised infrastructure of an Indian software development company. The PDF redirected the victim to yet another domain, in this case one that had been registered for multiple years but whose owner had let expire. The attackers re-registered the domain and used it to redirect the victim to the final hop, a malicious domain hosted behind Cloudflare, making it harder to track or to block the site. Outpost24 also found the attackers were using anti-bot and human validation services to block automated security tools before presenting the credential phishing page. In comments to Dark Reading, Hector Garcia, senior threat intel analyst at Outpost24, says the attackers appear to have used a phishing-as-a-service kit called Kratos to execute the attack.  Related:Warlock Ransomware Group Augments Post-Exploitation Activities "Our threat intelligence team was able to obtain and analyze an encrypted version of the phishing kit along with its configuration. By mapping these artifacts against known samples, we confidently identified links to the Kratos Phishing Kit," Garcia says. "We were not able to attribute this activity to a specific threat group, particularly as the infrastructure was dismantled quickly. However, the techniques and tooling observed are consistent with phishing-as-a-service operations, which Outpost24 continuously tracks as part of its threat intelligence efforts." Quality Attack Infrastructure Showcases Sophistication While the quality of the phishing lure itself was typical of recent campaigns, what set the attack apart was the quality of the infrastructure behind it, Garcia says. "The use of trusted domains, legitimate services, and multilayered redirection reflects a more deliberate effort to bypass detection controls." While these techniques are not new individually, their combined use signals a continued shift toward more resilient and evasive phishing operations, the researcher says. Related:China-Nexus Hackers Skulk in Southeast Asian Military Orgs for Years Mika Aalto, cofounder and CEO at Helsinki-based Hoxhunt, says security vendors like Outpost24 are attractive targets for attackers because they are deeply integrated into customer environments, and their infrastructure is inherently trusted by users and systems. "It's often easier to sneak into the castle through a neighbor’s yard than storm the front gate," he says.   Phishing remains one of the most effective ways to do that, and kits like Kratos are lowering the barrier for attackers to launch sophisticated credential-harvesting campaigns against strategic targets, even those with ostensibly the strongest security architecture and maturity. The campaign that targeted Outpost24 shows how attackers are effectively laundering their phishing links and routing victims through layers of trusted services and compromised infrastructure the same way financial criminals layer transactions to hide dirty money. "But the key detail here is that the attack was designed to bypass automated screening tools and only show the payload to a human," highlighting the need for human risk management, Aalto notes. When attackers can "launder" phishing infrastructure through multiple trusted services, no single control is going to catch everything. Organizations need layered defenses built around zero-trust principles, so a stolen credential alone doesn’t grant meaningful access, Aalto adds. Security vendors sit inside the trust layer of modern digital infrastructure, and their tools, alerts, and communications are trusted by the organizations that rely on them, says Darren Guccione, CEO and co-founder of Keeper Security. Attackers know that if they can compromise credentials or systems associated with a security provider, they are gaining access to a channel that many other organizations already trust. "These types of campaigns expose a structural issue in how organizations think about vendor risk," Guccione says. "Traditionally, companies evaluated suppliers based on whether their products were secure or whether they met compliance standards. But modern attacks show that the greater risk often lies in the access vendors are granted once their systems become integrated into everyday operations." About the Author Jai Vijayan Contributing Writer Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report The ROI of AI in Security Cybersecurity Forecast 2026 ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like THREAT INTELLIGENCE React2Shell Exploits Flood the Internet as Attacks Continue by Rob Wright DEC 12, 2025 THREAT INTELLIGENCE Iran Exploits Cyber Domain to Aid Kinetic Strikes by Robert Lemos, Contributing Writer NOV 26, 2025 THREAT INTELLIGENCE Human Digital Twins Could Give Attackers a Dangerous Advantage by Arielle Waldman JUL 21, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ CYBER RISK What Orgs Can Learn From Olympics, World Cup IR Plans byTara Seals MAR 12, 2026 THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE