A sophisticated attack campaign uncovered where cybercriminals are weaponizing Cisco’s own security infrastructure to conduct phishing attacks.
The attackers are exploiting Cisco Safe Links technology, designed to protect users from malicious URLs, to evade detection systems and bypass network filters by leveraging the trust associated with Cisco’s security brand.
Key Takeaways
1. Attackers use legitimate Cisco Safe Links to hide malicious URLs, exploiting Cisco's trusted reputation.
2. Security systems trust Cisco domains, allowing malicious wrapped URLs through filters.
3. Context-aware AI detects these attacks through behavioral analysis.
Turning Security Tools into Weapons
According to Raven AI analysis, the attack vector exploits Cisco Safe Links, a component of Cisco’s Secure Email Gateway and Web Security suite that rewrites suspicious URLs in emails, routing clicks through Cisco’s scanning infrastructure at secure-web.cisco[.]com.
Attackers have discovered multiple methods to generate legitimate Cisco Safe Links for malicious purposes.
The primary techniques include compromising accounts within Cisco-protected organizations to generate Safe Links by emailing themselves malicious URLs, exploiting cloud services that send emails through Cisco-protected environments, and recycling previously generated Safe Links from earlier campaigns.
When users see URLs beginning with secure-web[.]cisco.com, they instinctively trust the link due to Cisco’s reputation in cybersecurity, creating what researchers term “trust by association.”
The attack bypasses traditional email security gateways because many systems focus their analysis on visible domains in URLs.
When the domain displays as secure-web.cisco[.]com, it often passes through filters that would otherwise flag suspicious content.
Additionally, attackers exploit the time gap between when new threats emerge and when Cisco’s threat intelligence systems can identify and classify them as malicious.
Traditional security solutions struggle with these attacks because they appear legitimate at every technical level.
The malicious elements are hidden in context and behavioral patterns rather than obvious technical indicators.
Recent examples detected by Raven AI included professional-looking “Document Review Request” emails from purported e-signature services, complete with proper branding and business terminology.
Raven AI’s context-aware artificial intelligence successfully identified these attacks by analyzing multiple signals simultaneously, including inconsistent sender identities, suspicious URL structure with encoded parameters, and document request patterns commonly used in credential phishing.
The system’s ability to understand legitimate business workflows allows it to identify when communications deviate from expected patterns, even when they appear professionally crafted.
This represents a fundamental shift in cybersecurity threats, where attackers exploit human psychology and business processes rather than just technical vulnerabilities.
The weaponization of trusted security infrastructure like Cisco Safe Links demonstrates the need for advanced, context-aware detection systems that can identify attacks based on intent and behavioral patterns rather than relying solely on domain reputation and signature-based detection methods.
Safely detonate suspicious files to uncover threats, enrich your investigations, and cut incident response time. Start with an ANYRUN sandbox trial →
Source link
