The Ultimate Betrayal: How Attackers Are Weaponizing Cisco’s Own Safe Links to Phish Users

Cybercriminals have discovered a way to weaponize Cisco’s own security mechanisms against its users. Researchers at Raven have documented a credential theft campaign in which attackers learned to exploit Cisco’s Safe Links technology—a tool embedded within email traffic filtering systems that rewrites suspicious links, redirecting them through Cisco’s infrastructure for inspection.

The core of the attack lies in misplaced trust. Both users and security systems implicitly regard the domain “secure-web.cisco.com” as safe. This very trust has been turned into a weapon: adversaries now cloak their malicious activity behind links carrying this prefix, deceiving both filters and human recipients.

Raven experts observed multiple techniques used by attackers to generate legitimate-looking Safe Links suitable for phishing campaigns. The most common involves hijacking corporate accounts already protected by Cisco, sending malicious emails to themselves, and then reusing the automatically generated Safe Links in targeted operations. Other methods include leveraging third-party services that dispatch mail through Cisco’s infrastructure, as well as recycling previously created Safe Links that remain valid.

One recent example involved an email disguised as a document review request, styled to resemble a professional e-signature service. The message was crafted with corporate branding and polished business language. Traditional email filters failed to block it because the link pointed to a Cisco domain. Only a deeper analysis—taking into account not just technical indicators but also the context of the business correspondence—revealed subtle anomalies: suspicious URL parameters and inconsistencies in organizational workflows.

The danger is that such attacks appear flawless from a purely technical perspective. The malice resides not in counterfeit domains or crude indicators, but in the manipulation of context and behavior. Since most security systems focus heavily on domain reputation, links routed through Cisco’s trusted domains are often allowed through without scrutiny. This represents a profound shift in cybercriminal methodology: rather than exploiting vulnerabilities in code, they increasingly exploit trust in established brands and familiar processes.

The findings underscore that traditional defenses—signatures and reputation databases—are powerless against threats masquerading as legitimate business operations. What becomes crucial is the deployment of context-aware, AI-driven systems capable of identifying behavioral anomalies and validating the business logic of communications. Without such solutions, organizations risk overlooking campaigns that outwardly appear legitimate yet ultimately lead to credential theft.