Threats & Attacks

Kratos Phishing Kit Targets Outpost24 Executive in Seven-Stage Attack

4 Min Read / March 20, 2026

Kratos Phishing Kit Targets Outpost24 Executive in Seven-Stage Attack

A C-suite executive at Swedish cybersecurity firm Outpost24 was targeted in a sophisticated phishing campaign that used trusted brands such as Cisco and JP Morgan in a seven-stage redirect chain, ultimately leading to a fake Microsoft Office login page designed to steal credentials. The attack failed, but it demonstrates how threat actors are exploiting legitimate infrastructure to evade detection.

The campaign was detected on March 13, 2026 and no credentials were compromised. The attack used the newly identified Kratos phishing-as-a-service kit, which enables low-skilled attackers to deploy sophisticated credential-theft operations that were previously limited to advanced threat actors.

The Attack Chain Exploited Trusted Infrastructure at Every Stage

The phishing email impersonating JP Morgan appeared to be part of an existing email thread and included DomainKeys Identified Mail signatures to increase its legitimacy. When the target clicked the embedded document link, the request was routed through Cisco’s legitimate secure-web.cisco.com infrastructure, then through the Nylas email API platform before bouncing through a compromised third-party server and a repurposed domain.

The final stage implemented an anti-bot validation page hosted via Cloudflare that blocked automated security tools and sandbox environments from inspecting the site. Only real human users were presented with the fake Microsoft 365 login page designed to harvest credentials. Hector Garcia, senior threat intelligence analyst at Outpost24, confirmed that “the attackers appear to have used a phishing-as-a-service kit called Kratos to execute the attack.”

The attack demonstrates a troubling evolution in phishing tactics. By chaining redirects through widely trusted services, attackers can systematically prevent automated security scanners and reputation-based filters from blocking malicious URLs. The approach is effective because it exploits human psychology rather than technical vulnerabilities.

Kratos Makes Sophisticated Attacks Accessible to Low-Skilled Actors

Kratos represents a significant escalation in the industrialisation of cybercrime. According to Microsoft, a single PhaaS platform called Tycoon 2FA was the most prolific phishing platform observed in 2025. Separately, Netcraft reported a sharp rise in PhaaS activity with over 17,500 phishing domains targeting 316 brands across 74 countries. Kratos operates within this rapidly expanding PhaaS ecosystem enabling low-skilled attackers to launch sophisticated credential-theft campaigns that were previously limited to advanced threat actors.

The kit is engineered for operational resilience with decoupled architecture and decentralised data exfiltration via Telegram ensuring campaigns can persist even after law enforcement takedowns. This makes attribution particularly difficult as Outpost24 researchers could not link the attack to a specific threat group because “the infrastructure was dismantled quickly.”

Security Vendors Are High-Value Targets

The targeting of Outpost24 reflects a broader pattern of attacks against cybersecurity firms. Security vendors are often attractive targets because they are deeply integrated into customer environments and inherently trusted by users and systems. A successful compromise of a single executive account could potentially provide access pathways into multiple client organisations. A successful compromise of a single executive account at a security vendor could have opened pathways into multiple client organisations.

Martin Jartelius, Product Director at Outpost24, argues that traditional defences are insufficient against these threats: “The idea that a password or even a password plus a standard multi-factor authentication prompt is adequate defence against a persistent, well-resourced adversary is increasingly difficult to sustain.”

The comment is blunt but accurate. AI-assisted phishing is raising the baseline quality of social engineering to a level where even security-aware users will periodically fail. That is not user weakness rather, it is a structural problem that requires architectural solutions rather than training fixes.

What Nordic Companies Should Do Now

Deploy device-bound Zero Trust access controls that prevent compromised credentials alone from providing meaningful access. Traditional MFA is no longer sufficient when attackers can intercept or bypass authentication prompts through real-time phishing proxies.

Monitor for the technical indicators that Kratos campaigns typically exhibit: multi-stage redirects through legitimate services, anti-bot validation pages and domain re-registration patterns where expired domains are quickly reacquired and issued new TLS certificates. The domain used in the Outpost24 attack, www-0159.com was re-registered on March 12, 2026, five days after its previous certificate expired on March 7.

Executive teams at Nordic security vendors should treat themselves as high-priority targets. The failure at Outpost24 was detected because their threat intelligence team was monitoring for exactly this type of attack. Companies without dedicated threat intelligence capabilities should assume they are already being targeted.