TechTarget and Informa Tech’s Digital Business Combine. TechTarget and Informa TechTarget and Informa Tech’s Digital Business Combine. Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise Newsletter Sign-Up Newsletter Sign-Up Cybersecurity Topics Related Topics Application Security Cybersecurity Careers Cloud Security Cyber Risk Cyberattacks & Data Breaches Cybersecurity Analytics Cybersecurity Operations Data Privacy Endpoint Security ICS/OT Security Identity & Access Mgmt Security Insider Threats IoT Mobile Security Perimeter Physical Security Remote Workforce Threat Intelligence Vulnerabilities & Threats Recent in Cybersecurity Topics Application Security GlassWorm Malware Evolves to Hide in Dependencies GlassWorm Malware Evolves to Hide in Dependencies by Alexander Culafi Mar 16, 2026 4 Min Read Application Security Real-Time Banking Trojan Strikes Brazil's Pix Users Real-Time Banking Trojan Strikes Brazil's Pix Users by Alexander Culafi Mar 13, 2026 4 Min Read World Related Topics DR Global Middle East & Africa Asia Pacific Latin America Recent in World See All Application Security Real-Time Banking Trojan Strikes Brazil's Pix Users Real-Time Banking Trojan Strikes Brazil's Pix Users by Alexander Culafi Mar 13, 2026 4 Min Read Threat Intelligence Iran's Cyber-Kinetic War Doctrine Takes Shape Iran's Cyber-Kinetic War Doctrine Takes Shape by Alexander Culafi Mar 6, 2026 4 Min Read The Edge DR Technology Events Related Topics Upcoming Events Podcasts Webinars SEE ALL Resources Related Topics Resource Library Newsletters Podcasts Reports Videos Webinars White Papers Partner Perspectives Dark Reading Resource Library Threat Intelligence Cyber Risk Vulnerabilities & Threats Cyberattacks & Data Breaches News Hackers Target Cybersecurity Firm Outpost24 in 7-Stage Phish The cyberattackers leveraged trusted brands and domains in an attempt to redirect a C-suite executive at Outpost24 to give up his credentials. Jai Vijayan , Contributing Writer March 17, 2026 5 Min Read Source: tadamichi via Shutterstock Cybersecurity companies are not immune from the same kind of attacks they help their customers defend against — but a successful compromise could have big consequences for their customers in ways that other hacks don't. A recent example of attackers targeting security vendors is a phishing attack aimed at a C-level executive at security firm Outpost24 that was engineered to bypass multiple layers of enterprise email security without triggering a single alert. Researchers at Outpost24's threat intelligence unit analyzed the attack after detecting it before it could cause damage. They found the campaign leveraging the reputations of brands like Cisco and JP Morgan to build a complex seven-stage redirect chain that led to a Microsoft Office credential phishing page. A 7-Stage Cyberattack Chain The phishing lure itself arrived in the form of what Outpost24 subsidiary Specops Software described in a recent blog post as a "very convincing" financial communication from JP Morgan directed at the targeted C-suite individual . To add credibility, the attackers presented the phishing email like it was part of an ongoing and active email thread. The email had a valid DomainKeys Identified Mail (DKIM) signature associated with Amazon Simple Email Service infrastructure, meaning it passed authentication checks and appeared legitimate to Outpost24's email security systems. Related: Warlock Ransomware Group Augments Post-Exploitation Activities A link attached to a "Review Document" option on the phishing page pointed to a legitimate Cisco domain for rewriting and vetting links in emails, lending further credibility to the redirect. Outpost24 researchers found that when they clicked on the link, a request was sent to Cisco Secure Web infrastructure, which responded with a redirect to the third stage of the attack chain. This third hop was Nylas, a legitimate API service for email synchronization, tracking, and automation. The attacker used a Nylas link tracking and redirection feature to once again send the victim to the next stage of the attack, which appeared to be a PDF document hosted on the compromised infrastructure of an Indian software development company. The PDF redirected the victim to yet another domain, in this case one that had been registered for multiple years but whose owner had let expire. The attackers re-registered the domain and used it to redirect the victim to the final hop, a malicious domain hosted behind Cloudflare, making it harder to track or to block the site. Outpost24 also found the attackers were using anti-bot and human validation services to block automated security tools before presenting the credential phishing page. In comments to Dark Reading, Hector Garcia, senior threat intel analyst at Outpost24, says the attackers appear to have used a phishing-as-a-service kit called Kratos to execute the attack. Related: China-Nexus Hackers Skulk in Southeast Asian Military Orgs for Years "Our threat intelligence team was able to obtain and analyze an encrypted version of the phishing kit along with its configuration. By mapping these artifacts against known samples, we confidently identified links to the Kratos Phishing Kit," Garcia says. "We were not able to attribute this activity to a specific threat group, particularly as the infrastructure was dismantled quickly. However, the techniques and tooling observed are consistent with phishing-as-a-service operations, which Outpost24 continuously tracks as part of its threat intelligence efforts." Quality Attack Infrastructure Showcases Sophistication While the quality of the phishing lure itself was typical of recent campaigns, what set the attack apart was the quality of the infrastructure behind it, Garcia says. "The use of trusted domains, legitimate services, and multilayered redirection reflects a more deliberate effort to bypass detection controls." While these techniques are not new individually, their combined use signals a continued shift toward more resilient and evasive phishing operations, the researcher says. Related: Inside Olympic Cybersecurity: Lessons From Paris 2024 to Milan Cortina 2026 Mika Aalto, cofounder and CEO at Helsinki-based Hoxhunt, says security vendors like Outpost24 are attractive targets for attackers because they are deeply integrated into customer environments, and their infrastructure is inherently trusted by users and systems. "It's often easier to sneak into the castle through a neighbor’s yard than storm the front gate," he says. Phishing remains one of the most effective ways to do that, and kits like Kratos are lowering the barrier for attackers to launch sophisticated credential-harvesting campaigns against strategic targets, even those with ostensibly the strongest security architecture and maturity. The campaign that targeted Outpost24 shows how attackers are effectively laundering their phishing links and routing victims through layers of trusted services and compromised infrastructure the same way financial criminals layer transactions to hide dirty money. "But the key detail here is that the attack was designed to bypass automated screening tools and only show the payload to a human," highlighting the need for human risk management, Aalto notes. When attackers can "launder" phishing infrastructure through multiple trusted services, no single control is going to catch everything. Organizations need layered defenses built around zero-trust principles, so a stolen credential alone doesn’t grant meaningful access, Aalto adds. Security vendors sit inside the trust layer of modern digital infrastructure, and their tools, alerts, and communications are trusted by the organizations that rely on them, says Darren Guccione, CEO and co-founder of Keeper Security. Attackers know that if they can compromise credentials or systems associated with a security provider, they are gaining access to a channel that many other organizations already trust. "These types of campaigns expose a structural issue in how organizations think about vendor risk," Guccione says. "Traditionally, companies evaluated suppliers based on whether their products were secure or whether they met compliance standards. But modern attacks show that the greater risk often lies in the access vendors are granted once their systems become integrated into everyday operations." About the Author Jai Vijayan Contributing Writer Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill. See more from Jai Vijayan More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars Editor's Choice Cybersecurity Operations Why Stryker's Outage Is a Disaster Re