Sophisticated Phishing Attack Targets Outpost24 C-Level Executive Using Kratos Kit A high-profile phishing attack targeted a C-level executive at Outpost24, a Swedish exposure management and identity security firm, leveraging the recently identified Kratos phishing-as-a-service (PhaaS) kit. The attack, analyzed by Outpost24’s subsidiary Specops Software, employed a seven-step chain of redirects through trusted services to evade detection and trick the victim. The phishing email, disguised as a legitimate message from JP Morgan, appeared as part of an existing email thread to enhance credibility. It included two DKIM signatures to bypass DMARC authentication, making it appear trustworthy. The malicious link initially pointed to Cisco’s secure-web.cisco.com, a legitimate domain used for URL rewriting, which passed Cisco’s Secure Email Gateway validation. From there, the attack redirected through Nylas, an email API platform, before funneling the victim to a subdomain of a legitimate Indian development company. The final redirect led to a repurposed domain originally registered in 2017 by a Chinese entity, which had been reacquired on March 12 just days after its TLS certificate expired suggesting deliberate repurposing for the campaign. The last stage of the attack used Cloudflare-protected infrastructure to conceal the origin server, serving a browser validation check to evade security analysis. The victim was then presented with a convincing Microsoft 365 phishing page, complete with a fake Outlook loading animation and real-time credential validation to ensure stolen logins were functional. While Specops did not attribute the attack to a specific threat actor, the tactics align with those of Iran-linked groups recently targeting U.S. entities. However, similar techniques have been observed across multiple hacking collectives, leaving attribution uncertain. The incident underscores the growing sophistication of phishing campaigns, particularly those leveraging trusted infrastructure to bypass security controls.