Weaponization of Cisco Safe Links in Phishing Campaigns

In August 2025, Raven AI uncovered a sophisticated phishing campaign that leveraged Cisco’s “Secure Links” – a trusted security feature – to deliver credential harvesting payloads. By embedding malicious content behind URLs rewritten by Cisco’s Secure Email Gateway, attackers bypassed traditional defenses and exploited users’ implicit trust in the Cisco brand. This incident underscores a critical shift in phishing tactics: abusing trusted security infrastructure to conceal malicious intent.

Severity Level: Moderate

Threat Details

• Initial Attack Vector
  • Social engineering through phishing emails containing malicious URLs obfuscated behind Cisco’s trusted Safe Links mechanism (e.g., https://secure-web.cisco.com/…).
• Cisco Safe Link Abuse Techniques
  • Inside Job: Attackers use internal accounts in Cisco-protected orgs to auto-generate Safe Links.
  • Trojan Horse: Compromised internal emails are used to legitimize malicious URLs via Cisco’s rewriting.
  • SaaS Backdoor: Attackers trigger automated emails from SaaS platforms secured by Cisco.
  • Recycling Program: Previously used Safe Links still active are reused in new phishing waves.
• Social Engineering & Payload Delivery
  • Emails impersonated legitimate services such as electronic signature providers or financial document workflows.
  • Common lures included requests for document review, remittance confirmations, or signature completion with professional branding and realistic formatting.
  • The embedded links, although pointing to malicious destinations, were obfuscated through Cisco’s legitimate domain (secure-web.cisco.com), bypassing traditional link inspection filters.
• Attack Goals: Redirect victims to phishing pages disguised as login portals or document review sites to steal user credentials.
• This case illustrates a new wave of threats that focus less on evading detection with novel payloads and more on abusing the security infrastructure itself to gain legitimacy. It signals a paradigm shift where trust becomes the attack surface.

Recommendations

1. Implement layered email filtering that inspects full redirect chains, not just trusted base domains.
2. Train employees that “secure-web.cisco.com” does not always mean safe. Encourage suspicion of unexpected requests.
3. Train users to validate unexpected document review or payment adjustment requests via alternate communication channels.
4. Run regular phishing simulations including Safe Links–like scenarios to measure awareness.
5. Keep email security gateways, Cisco infrastructure, and AI-driven detection systems updated.

Source:

• https://ravenmail.io/blog/phishing-with-cisco-secure-links

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.