On March 16, 2026, it was reported by Specops and SecurityWeek that a C-level executive at Outpost24 was targeted in a highly engineered phishing operation that used trusted email and web infrastructure to make the lure look ordinary and safe.
What happened
Specops Software, an Outpost24 subsidiary, said its threat intelligence team discovered the campaign on March 13 and described it as a multi-chain redirect attack that impersonated JP Morgan inside what looked like an existing email thread. The email asked the recipient to review and sign a document, which is a familiar business action and therefore easy to normalize in a crowded inbox. Specops also found that the message carried two valid DKIM signatures, including one tied to Amazon SES, which allowed it to pass DMARC even without a valid SPF record and appear trustworthy to Microsoft 365 protections.
SecurityWeek added that the firm confirmed the intended victim was a senior executive, which helps explain the amount of effort invested in the lure, infrastructure, and validation steps. Specops said the operation likely aligns with the newer Kratos phishing-as-a-service ecosystem, but neither Specops nor SecurityWeek made a firm attribution to a named threat actor.
In the know
Specops mapped the intrusion path into seven connected stages, and the sequence matters because each hop was designed to borrow trust from a real service or previously legitimate asset.
- Stage one was the initial JP Morgan-themed lure, presented as part of an existing thread and authenticated with passing DKIM and DMARC results.
- Stage two sent the victim to a secure-web.cisco.com link, which worked because Cisco Secure Email rewrites and analyzes URLs as part of its normal defense workflow.
- Stage three redirected the victim through tracking.us.nylas.com, where Nylas message-tracking infrastructure can monitor clicks and other engagement events.
- Stage four moved the victim to a suspicious subdomain on the site of an apparently legitimate development company in India, where a fake PDF path triggered another redirect instead of delivering a document.
- Stage five pushed the victim through www-0159.com, a domain first registered in 2017, allowed to lapse, and then re-registered on March 12, 2026 with fresh certificates, suggesting deliberate repurposing.
- Stage six placed the victim behind Cloudflare-protected phishing infrastructure and a human-validation check meant to frustrate scanners and sandboxes.
- Stage seven delivered a polished Microsoft 365 credential page with an Outlook-like loading animation and a final credential check intended to verify the stolen login worked.
What was said
According to Martin Jartelius, Product Director at Outpost24, in the post, “AI-assisted phishing in particular is raising the baseline quality of social engineering attempts to a level where even security-aware users will periodically fail. That is not a criticism of users, it is a structural reality security teams need to design around. The right response is not to try harder to make users infallible. It is to build architectures where a compromised credential alone cannot hand an attacker a meaningful foothold.”
Why it matters
A staff member who sees a trusted-looking sender, then a Cisco-branded redirect, then another legitimate service in the chain may treat the message as routine instead of risky. For healthcare organizations, the Outpost24 incident follows the same layered phishing design that can be used against hospitals, clinics, health plans, and business associates that rely on Microsoft 365, cloud email, secure gateways, document-signing workflows, and third-party communication platforms every day.
HHS has continued to treat phishing-related exposure as a major compliance issue, including a 2025 OCR settlement with PIH Health over a phishing attack that exposed unsecured ePHI and prior OCR action involving phishing-compromised workforce email accounts. A peer-reviewed healthcare cybersecurity research paper published on Frontiers in Digital Health also shows why layered social engineering remains effective: one NCBI article states that technology alone cannot completely prevent this issue.
See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)
FAQs
How is AI phishing different from regular phishing?
AI makes phishing faster, more convincing, and easier to personalize at scale. Attackers can generate better writing, mimic tone, translate messages, and create fake conversations that look more realistic than older phishing attempts.
Can AI make phishing emails look more legitimate?
Yes. AI can improve grammar, match business writing style, and tailor messages to a person’s job, company, or recent activity, which makes the email feel more credible.
How do attackers use AI in phishing campaigns?
Attackers can use AI to write email copy, create fake login pages, generate subject lines, impersonate brands, summarize public information about targets, and test which messages are most likely to get clicks.
What is spear phishing and how does AI make it worse?
Spear phishing is a targeted phishing attack aimed at a specific person or team. AI makes it worse by helping attackers quickly build personalized lures using public data like job titles, company names, recent events, and writing style.
Farah Amod : October 30, 2025
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
