Attackers are combining trusted services and layered infrastructure to avoid detection and harvest credentials in a newly uncovered phishing campaign.
Researchers at Outpost24 reported earlier today that the operation, identified on March 13, 2026, used a complex chain of redirects to impersonate Cisco and ultimately target Microsoft 365 accounts. The target of this attack was a C-level executive at Outpost24, highlighting the sophistication of the attack.
The attack began with a convincing phishing email posing as a financial document request from JPMorgan Chase. The message was designed to look like it was part of an existing email thread.
The email passed authentication checks thanks to valid DKIM signatures, bypassing standard Microsoft 365 protections despite lacking a proper SPF record.
Victims who clicked the embedded link were routed through a legitimate Cisco Secure Web URL, then redirected via the email platform Nylas. This combination of reputable services helped the malicious link evade security filters based on domain reputation.
Layered Infrastructure Enabled Evasion
The campaign continued through compromised infrastructure hosted on a legitimate business domain, followed by a re-registered domain that had recently expired, possibly chosen to retain residual trust.
From there, users were directed to a phishing environment protected by Cloudflare, which included a “human verification” step to block automated security analysis.
Only after completing this check were victims shown a realistic Microsoft 365 login page designed to capture credentials and validate them in real time.
Outpost24 attributed the campaign’s sophistication to emerging Phishing-as-a-Service (PaaS) kits, possibly linked to the “Kratos” platform. The tools enabled attackers to deploy advanced evasion techniques with minimal effort. It is estimated that by the end of 2026, over 90% of all credential compromise attacks will be enabled by modular PaaS kits like this one.
“The idea that a password, or even a password plus a standard multi-factor authentication prompt, is adequate defense against a persistent, well-resourced adversary is increasingly difficult to sustain,” warned Martin Jartelius, Product Director at Outpost24, commenting on the campaign.
The campaign reflects the growing industrialization of phishing. KnowBe4 research estimates the number of active PhaaS kits doubled during 2025, with platforms like Kratos enabling attackers to deploy sophisticated evasion chains with minimal technical skills.
“The right response is not to try harder to make users infallible,” Jartelius added. “It is to build architectures where a compromised credential alone cannot hand an attacker a meaningful foothold.”
