7-Stage Phishing Chain Targets Outpost24 C-Suite via Redirects

A highly targeted Phishing campaign recently targeted a C-suite executive at the cybersecurity firm Outpost24, utilizing a complex seven-stage redirect chain designed to bypass traditional security filters. According to Dark Reading, the attackers leveraged trusted brands and legitimate domains to obscure the malicious intent of the campaign and successfully deliver a credential-harvesting payload to the target.

Outpost24 Executive Phishing Campaign Analysis

The sophistication of this attack lies in its multi-layered approach to evasion. Rather than sending a direct link to a malicious site, the threat actors constructed a 7-stage journey that redirected the user through various legitimate services. This TTP is specifically designed to defeat automated email scanning and sandboxing technologies that often fail to follow long or complex redirect chains.

The attack began with a fraudulent email designed to appear as a legitimate business communication. The initial link in the email directed the victim to a legitimate domain—in this case, utilizing platforms like Indeed and other trusted cloud services—to establish a baseline of trust for both the user and the automated security scanners. By using high-reputation domains, the attackers ensured the email would pass initial SPF, DKIM, and DMARC checks, which are the primary defenses for many SOC teams.

How to Detect 7-Stage Phishing Attacks

Detecting such elaborate campaigns requires visibility beyond the initial email gateway. In the Outpost24 incident, the attackers utilized Cloudflare Turnstile, a CAPTCHA alternative, as one of the stages. This serves two purposes: it adds an air of legitimacy to the interaction and, more importantly, it blocks automated security crawlers and bots from reaching the final credential-theft page.

Security professionals looking for how to detect 7-stage phishing attacks should focus on analyzing network traffic for unusual redirect patterns. While each individual domain in the chain may be benign, the rapid transition through multiple unrelated high-reputation domains is a significant IoC. Security teams should configure their SIEM or EDR platforms to flag instances where a user navigates through more than three or four redirects originating from an external email link.

Preventing Credential Theft Through Multi-Stage Redirects

The final stage of the Outpost24 attack was a pixel-perfect replica of a Microsoft login page, hosted on a compromised or attacker-controlled infrastructure. This page was designed to harvest corporate credentials, which could then be used for Lateral Movement or to establish a C2 channel within the target organization’s network.

To effectively implement a strategy for preventing credential theft through multi-stage redirects, organizations must move beyond password-based security. The adoption of a Zero Trust architecture, specifically utilizing FIDO2-compliant hardware security keys, remains the most effective defense against this level of social engineering. Because these hardware keys are tied to the specific domain they are registered with, they will not provide credentials to a phishing site, regardless of how many redirects or legitimate domains the attacker uses to mask the final destination.

Technical Recommendations and Mitigations

Defenders should prioritize the following actions to mitigate the risk of multi-stage phishing:

• Enhance URL Sandboxing: Configure email security gateways to perform deep-link analysis and follow redirects to their ultimate destination, even if they pass through CAPTCHAs or legitimate cloud workers.
• Domain Monitoring: Monitor for brand impersonation and the unauthorized use of corporate logos on third-party hosting services.
• User Training: While technical controls are primary, educating high-value targets about the risks of multi-stage redirects and the importance of verifying the URL bar before entering credentials remains a necessary layer of defense.
• Implement Phishing-Resistant MFA: Replace SMS or TOTP-based multi-factor authentication with phishing-resistant methods to ensure that even if a password is stolen, the account remains secure.