Hackers turn Cisco Safe Links into a phishing weapon

Attackers are exploiting Cisco’s reputational trust, weaponizing Safe Links to disguise phishing attacks. The result is malicious links passing deep scanning and reaching users under the guise of legitimacy.

What happened 

Cybercriminals have exploited Cisco's Safe Links technology, a component of Cisco's Secure Email Gateway and Web Security suite, to conduct sophisticated phishing attacks. The attackers are weaponizing Safe Links to bypass email filters and trick users into clicking malicious links masked by Cisco's domain name.

Going deeper

Cisco Safe Links rewrites URLs in incoming emails so that links pass through Cisco’s scanning infrastructure before reaching users. Attackers have capitalized on this rewrite mechanism to disguise phishing links, embedding malicious URLs within seemingly legitimate secure-web.cisco.com links. Because enterprise email systems and web gateways typically trust Cisco domains, these embedded threats often evade detection.

Raven AI, a security analysis firm (formerly Ravenmail), uncovered that attackers are obtaining these Safe Links through various methods: 

• compromising internal accounts within Cisco-protected organizations, 
• exploiting services that naturally route emails through Cisco infrastructure, or 
• recycling previously generated Safe Links. 

These links then serve as “trusted” conduits for directing targets to phishing websites.

In the know

Phishing is a cyberattack technique where attackers trick individuals into revealing sensitive information, such as usernames, passwords, or financial details, by masquerading as a trustworthy entity. Traditionally, phishing emails use fake websites or domains that resemble legitimate services.

To identify a phishing attack, the following should be noted:

• Check the sender’s email address carefully for subtle misspellings or unusual domains.
• Hover over links to see the actual destination before clicking. Malicious links may redirect through trusted domains but lead to unfamiliar websites.
• Look for urgent or threatening language, such as “Your account will be locked” or “Immediate action required.”
• Verify requests for sensitive information through a separate, trusted channel. Legitimate organizations rarely ask for passwords or personal data via email.
• Watch for unusual attachments or files with unexpected formats.

Read also: 

• Tips to spot phishing emails disguised as healthcare communication
• Steps to protect against phishing attacks

What was said

According to Cybersecurity News, “The primary techniques include compromising accounts within Cisco-protected organizations to generate Safe Links by emailing themselves malicious URLs, exploiting cloud services that send emails through Cisco-protected environments, and recycling previously generated Safe Links from earlier campaigns.” It further states that “When users see URLs beginning with secure-web[.]cisco.com, they instinctively trust the link due to Cisco’s reputation in cybersecurity, creating what researchers term “trust by association.”

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQS

What makes this phishing attack different from traditional ones?

Traditional phishing often relies on obviously suspicious domains. This attack leverages the trust in Cisco’s security infrastructure itself, making it harder for both automated filters and users to recognize the threat.

What should an employee do if they suspect a malicious Safe Link?

Employees should avoid clicking the link, report the email to their IT or security team, and verify the legitimacy of the sender through other communication channels.

How can companies improve email security beyond Safe Links?

Companies can use a multi-layered approach:

• Behavioral AI to detect anomalies
• Endpoint protection
• Regular phishing simulations
• Employee awareness training
• Two-factor authentication for email accounts