[New Threat Intelligence] European Security Vendor Targeted by Hackers Fronting as Cisco Domain

On March 13, 2026, the threat intelligence team at Outpost24, Specops’ parent company, detected and blocked a sophisticated multi-chain redirect phishing campaign fronting as Cisco, a global network equipment provider. Our team identified the attack early, stopped it before it could compromise systems or impact users, and shared intelligence to help other organizations defend against similar campaigns.

The attack is quite complex, leveraging several trusted services as well as compromised legitimate infrastructure to conceal the final phishing destination. Several stages redirect victims through legitimate or previously reputable domains, reducing the likelihood that security scanners or reputation-based filtering will block the link.

The attackers went as far as to implement a legitimate CloudFlare based “human validation” step to ensure that only real people saw the actual landing page where credentials are requested. Our team has mapped the attack path into seven clear steps and provided guidance on how to mitigate against this threat.

Seven stages of the attack chain

Step 1: Initial lure

The attack begins with a well-crafted and convincing email impersonating financial services provider JP Morgan, which is presented as if it were part of an already existing email thread, a well-known technique attackers use to increase the feeling of legitimacy in their phishing attempts. Users are presented with a message saying, “A document is available for your review and signature.”

Initial phishing email

In our investigation, the email headers show the message was DomainKeys Identified Mail (DKIM) signed by em.37nmtc.com, with an additional signature associated with Amazon Simple Email Service (SES) infrastructure.

Because the DKIM signature successfully validated, the message passed Domain-based Message Authentication, Reporting, and Conformance (DMARC) authentication even though no valid Sender Policy Framework (SPF) record was present. As a result, the email appeared authenticated and trustworthy to Microsoft 365 mail protection systems.

DKIM signed email from em.37nmtc.com with a “normal quality” phishing email
Authentication-Results: spf=none (sender IP is 69.169.224.13) smtp.mailfrom=em.37nmtc.com; dkim=pass (signature was verified) header.d=37nmtc.com;dkim=pass (signature was verified) header.d=amazonses.com;dmarc=pass action=none header.from=37nmtc.com;compauth=pass reason=100 Received-SPF: None (protection.outlook.com: em.37nmtc.com does not designate permitted sender hosts)

Step 2: Cisco Secure redirect

The link attached to the “Review Document” points to a URL from secure-web.cisco.com, a legitimate Cisco domain. This domain is typically used to rewrite links in emails, ensuring recipients do not receive external URLs directly unless they have been vetted and deemed safe by Cisco.

Ironically, if an attacker manages to send an email through Cisco’s Secure Email Gateway containing a link that is not flagged as malicious, they gain an extremely valuable asset: a redirect URL hosted within Cisco’s infrastructure, which users are more likely to trust and which may bypass a lot of detection systems.

Secure “Cisco” phishing link provided in the document

hxxps[:]//secure-web.cisco.com/1aL6ss11Orq2hbHreIVXzBwsVL_VtTGpsnWld4nI4zcao-PH1ayVpw3VCsSc-nkb7tqLEjOiHObISdpA9w_-f5hmMQI_IUeM2i46yl1kSw6GUVsuvQ0hacn91qTFvO3LtCbKhUb8HhT3kE5FU6dHf3OBeUMn4Mc2EePTWYjRH8Fuc-CXFHgmLWmPq0NUQ0EejCYkDDEuZSRC6VMjj84CnS6S-fFa8k_79jvbWe12eJ_mz6jNHzElPPKPC_E8VaIUvXtzUz85bZP3A9v45bIvrjfZ5VbiDdOBke-AAKAbtAtLcMt0U1h68_JBGO2K4PU2KyTwFHUliw9ED1V_SakNA8_1lXEP6FQhBpmQdyiNYQ8qL7GgfgNIcjDnY09J8tG_Mo21Wn_qJzzIFJoWSIYOBgW5Ih_eZ9UxikO_KiH_K5DKFO1QBkmtrpHYphv1vr8qe4qIoDdbQgpwmaQ66O3keJiBNRI8dv8bb-u8waewntfc/https%3A%2F%2Ftracking.us.nylas.com%2Fl%2Fe5fd23c84ad341959b1b1f99863d6ef7%2F0%2Fa2000da7f0c0b9f1da537753529477b583df272c3dbafb1fc15b0afade3ca218%3Fcache_buster%3D1773349270

When the link is opened, the request is sent to Cisco Secure Web infrastructure, which responds with a redirect to the next stage of the attack chain.

Response from CISCO secure-web:

Response from CISCO secure-web
hxxps[:]//tracking.us.nylas.com/l/e5fd23c84ad341959b1b1f99863d6ef7/0/a2000da7f0c0b9f1da537753529477b583df272c3dbafb1fc15b0afade3ca218?cache_buster=1773349270

• HTTP/2 302 Found
• Server: openresty/1.27.1.2
• Content-Type: text/html
• Content-Length: 0
• Talos-Dc-Id: 3

Response from Cisco secure-web

Step 3: Nylas redirect

After the initial redirect from Cisco Secure Web infrastructure, the request is forwarded to tracking.us.nylas.com.

Nylas is a widely used email API platform that provides services such as email synchronization, tracking, and automation for developers. In this case, the attackers appear to be abusing a link tracking and redirection feature within the platform to move the victim further along the phishing chain.

The use of Nylas’ infrastructure likely stems from the attackers’ need to generate a link that redirects through Cisco’s Secure Web infrastructure without raising suspicion. For this purpose, any well-established and legitimate service that supports the creation of redirection links could have been used.

When the request reaches the Nylas infrastructure, it immediately performs another redirect to the next stage of the attack.

Nylas response: HTTP/2 301 Moved Permanently

Location: hxxps[:]//infra.infratechcorpsolutionllp.com/MQadYJ7z29BJTL.pdf

Nylas response

By chaining redirects through legitimate services such as Cisco and Nylas, the attackers increase the likelihood that the link will pass security filtering and reputation checks. These domains are widely trusted and commonly observed in legitimate traffic, which makes automated blocking more difficult.

This sends the victim to the next stage of the attack hosted on infra.infratechcorpsolutionllp.com.

Step 4: Compromised infrastructure

The victim is now directed to what appears to be a PDF document:

Victim taken to compromised infrastructure

The domain infratechcorpsolutionllp.com belongs to what appears to be a legitimate development company based in India. However, the subdomain infra.infratechcorpsolutionllp.com is more suspicious.

Although the redirect from the previous step appears to point to a .pdf file, the server does not deliver a document. Instead, it returns another redirect that forwards the request to a different domain. Our testing revealed that any request to a URL with a non-empty path on this host triggers the same redirect behavior.

Both the main domain and the infra subdomain resolve to the same hosting infrastructure, suggesting the attackers may have gained access to the server and inserted malicious redirection logic pointing to another site:

Malicious redirection logic

HTTP/2 302 Found

Location: https://www-0159.com/

Step 5: Redirect via re-registered domain

After the decoy PDF endpoint, the victim is redirected to www-0159.com. Analysis of the domain’s history shows that it originally existed for several years, having first been registered in 2017 by a Chinese entity. Since then, multiple TLS certificates have been issued for the domain by different certificate authorities around the globe. However, its previous TLS certificate expired on March 7, 2026, and the associated DNS records were released shortly afterwards.

On March 12, 2026, the domain was re-registered and issued several new TLS certificates the same day. The timing strongly suggests the domain was reacquired and repurposed specifically for this campaign.

This technique allows attackers to take advantage of domains that previously had legitimate use and may still carry some residual reputation. Re-registering expired domains can help malicious infrastructure appear less suspicious to automated security systems compared to newly created domains.

From here, the request is redirected once again to the final stage of the attack chain hosted on tradixyu.cfd, where the phishing infrastructure is deployed behind Cloudflare.

Step 6: Anti-bot/ human validation page

Tradixyu.cfd’s hosting environment uses Cloudflare, which obscures the origin server and provides an additional layer of protection for the attacker’s infrastructure.

When the victim reaches this stage, they are presented with a browser validation check requiring manual interaction. This step is designed to block automated analysis tools, sandbox environments, and security scanners that attempt to follow malicious links.

Validation page

Only after the user completes the validation does the site continue loading the phishing content. The page then reports that the system is “compliant” before ultimately redirecting the victim to a fake Microsoft 365 login page.

Step 7: Final Microsoft credential phishing page

This very convincing phishing page is designed to harvest credentials. Like the rest of the attack chain, this step is also carefully constructed, from a fake loading animation imitating Outlook to a check that validates whether the user input is actually an email. As the final step, the site attempts a legitimate login to verify that the captured credentials are valid.

Sign-in page

Observations

The characteristics of this attack seem to point towards Kratos, a quite new Phishing-as-a-Service Kit that has been recently gaining popularity due to the number of features it offers, from its capabilities to mimic legitimate sites to its analysis prevention measures, as well as several QoL functions that ease the launching and operation of complex campaigns.

Campaigns like this demonstrate how modern phishing operations increasingly rely on layered infrastructure and legitimate services to evade detection. It also shows that phishing is another of cybercrime’s “industries” that has been getting more “professional”, with groups and organizations specializing in the development and maintenance of ever more complex features.

In this case, the attackers combined DKIM-signed email delivery, trusted redirect infrastructure, compromised web servers, and Cloudflare-protected phishing pages to disguise the final credential harvesting stage. This type of attack highlights that even when users are trained to recognise suspicious emails, well-crafted phishing campaigns can still succeed.

“The volume and quality of what is available to threat actors, including state-sponsored ones, is significant and growing. The idea that a password, or even a password plus a standard multi-factor authentication (MFA) prompt, is adequate defense against a persistent, well-resourced adversary is increasingly difficult to sustain.
“AI-assisted phishing in particular is raising the baseline quality of social engineering attempts to a level where even security-aware users will periodically fail. That is not a criticism of users, it is a structural reality security teams need to design around.
“The right response is not to try harder to make users infallible. It is to build architectures where a compromised credential alone cannot hand an attacker a meaningful foothold.”

Martin Jartelius, Product Director at Outpost24, commenting on the attack

To counter this, organizations increasingly need controls that validate both the user identity and the security posture of the device requesting access.

Mitigation strategies

A practical defence against attacks like this is device-bound Zero Trust access, where authentication decisions depend not only on user identity but also on the security state of the device making the request.

Specops Device Trust, our zero trust access solution, enables organizations to enforce this model by continuously validating device posture before granting access to corporate applications and resources. With device-bound access controls in place:

• Stolen credentials alone cannot be used to access protected resources
• Authentication requests must originate from known, policy-compliant devices
• Access decisions can incorporate real-time device posture checks, including operating system configuration and security controls
• If a device falls out of compliance, access can be blocked or restricted until remediation occurs

By binding authentication to verified devices rather than credentials alone, organizations can significantly reduce the impact of phishing campaigns designed to harvest passwords and session tokens.

Let’s talk

Defending against increasingly sophisticated phishing campaigns requires implementing robust identity security solutions. For more information on how Specops can help your organization, contact us today or book a demo to see our solutions in action.