Weaponization of Cisco Safe Links in Phishing Campaigns

Overview

In August 2025, Raven AI researchers discovered a phishing campaign abusing Cisco's Safe Links feature — a core part of its Secure Email Gateway (SEG) — to deliver credential-harvesting payloads.

• Malicious URLs were embedded behind rewritten Cisco Safe Links (e.g., https://secure-web.cisco.com/...).
• The trusted Cisco-branded URLs allowed attackers to bypass filtering tools and exploit end-user confidence.
• This marks a new phishing paradigm: adversaries are no longer only impersonating brands — they are misusing the infrastructure of trusted security providers themselves.

---

Threat Details

Initial Attack Vector

• Phishing emails with embedded malicious URLs rewritten by Cisco Safe Links.
• Targets included finance, legal, and operations staff.

Safe Link Abuse Techniques

• Inside Job – Compromised accounts within Cisco-protected orgs auto-generated Safe Links.
• Trojan Horse – Malicious URLs inserted into legitimate email threads.
• SaaS Backdoor – Links smuggled in via legitimate SaaS notifications (e-signature portals, invoice tools).
• Recycling Program – Attackers reused still-valid old Safe Links in new waves.

Social Engineering & Payload Delivery

• Impersonated services: DocuSign, HR portals, finance systems.
• Common lures: "document review", remittance notices, digital signatures".
• The wrapper domain (secure-web.cisco.com) enhanced trust.
• Final payload: credential harvesting portals styled as corporate login pages.

---

Attack Goals

• Credential Theft → targeting corporate SaaS platforms (O365, Google Workspace, ERP).
• Persistence → maintain unauthorized account access via harvested credentials.
• Monetization → enable Enterprise Email Compromise (BEC) and payment fraud schemes.

---

Why This Matters

This campaign reflects a paradigm shift in phishing strategy:

• Attackers weaponize brand trust in security vendors instead of relying purely on obfuscation or novel malware.
• Cisco's domain (secure-web.cisco.com) is commonly whitelisted, limiting detection by security teams.
• Trust has become the attack surface — adversaries are exploiting the implicit credibility assigned to Cisco's infrastructure.

---

Recommendations

For Organizations

• Inspect the entire redirect chain, not only the Cisco base domain.
• Tune SEG/EDR/ML detection to evaluate Safe Links' final destinations.
• Deploy defense-in-depth: DNS filtering, proxy-based URL inspection, zero-trust access.
• Run phishing simulations using Safe Links–like URLs to measure resilience.

For Employees / End Users

• ⚠️ Do not assume Cisco Safe Links = safe.
• Cross-verify sensitive requests (payments, signatures) via secondary channels.
• Hover over Safe Links to preview the full destination path.
• Report any suspicious Safe Links to security teams.

---

Conclusion

The weaponization of Cisco Safe Links highlights a critical evolution in phishing tradecraft: attackers are abusing trusted security infrastructure itself to cloak malicious intent.

• Organizations must adjust defenses to analyze beyond trusted wrappers,
• Employees must be taught that "Cisco Safe Links ≠ safe by default", and
• Security teams must prepare for a future where trust abuse is a core phishing tactic.

Key Takeaway: Trust in branded domains is no longer enough. Only by monitoring full redirect paths, governing SaaS integrations, and running continuous phishing awareness can organizations resist this new wave of trust-based phishing attacks.