Hackers Forced Cisco to Attack Its Own Customers
Excessive trust turned into a trap. Traditional detection methods are powerless.
Cybercriminals have found a way to use Cisco's defense mechanisms against the users themselves. Researchers at Raven have documented a credential theft campaign in which attackers learned to exploit the Cisco Safe Links technology. This tool is integrated into the email traffic filtering system and replaces suspicious links, redirecting them through Cisco's own infrastructure for analysis.
The idea of the attack is that a user or a security system inherently trusts the domain "secure-web.cisco.com," considering it safe. It is this trust that has been weaponized: the attackers began hiding behind links with this prefix to deceive both filters and people.
Raven experts documented several techniques used by the attackers to create legitimate-looking Safe Links suitable for attacks. Most often, they compromise accounts within companies protected by Cisco and send malicious emails to themselves, then use the generated links in targeted campaigns. The use of third-party services that send emails through Cisco's infrastructure has also been observed, as well as the reuse of previously created, working Safe Links.
One of the latest examples was an email requesting a document review, disguised as an electronic signature service. It looked highly professional, with corporate branding and business language. Standard email filters did not trigger because they saw an address in the Cisco domain. Only a detailed analysis, which considered not only technical indicators but also the context of the business correspondence, was able to reveal discrepancies: suspicious parameters in the URL and anomalies in business processes.
The danger lies in the fact that such attacks appear technically flawless. The malicious intent is hidden in behavior and context, not in familiar indicators like spoofed domains. Most defense systems focus precisely on address reputation, so Cisco domains are automatically allowed through. This indicates a qualitative shift in the methods of cybercriminals: they are increasingly exploiting not vulnerabilities in code, but trust in well-known brands and familiar processes.
The research results underscore that traditional approaches—signatures and reputation databases—are powerless against attacks disguised as legitimate business operations. The use of context-aware systems based on artificial intelligence, capable of recognizing behavioral anomalies and verifying the appropriateness of emails within business logic, is becoming increasingly important. Without such solutions, there is a risk of missing campaigns that look completely legitimate on the surface but in reality lead to credential theft.
