How Threat Actors Exploit Redirect Chains to Bypass Spam Filters

September 25, 2025

Riddle Technologies platform enabled malicious redirect chains, leading victims through CAPTCHA to Gmail credential-harvesting pages.

Email Security

•

2

min read

How Threat Actors Exploit Redirect Chains to Bypass Spam Filters

Threat actors leveraged the Riddle Technologies AG platform to obfuscate malicious URLs in email and bypass spam filters. The email template mimicked an encrypted Mimecast message: shconsult.ing/njZs4vtm

‍All embedded links redirected to an intermediary landing page hosted on Riddle and from there, pointing to a phishing page hosted at the .sa[.]com TLD, managed by CentralNic Registry: shconsult.ing/81QRbk2w

‍Victims clicking "sign documents" were routed through CAPTCHA before reaching a credential harvesting page impersonating Gmail login: shconsult.ing/f48zvJb5

‍The campaign employed redirect chains, abusing legitimate infrastructure to obscure malicious endpoints.

Forensic analysis indicates the spoofed domain has been active for at least 26 days: shconsult.ing/45x9g0c3

Related posts

Coordinated Subdomain Takeover Campaign Targeting US Universities

Attackers are hijacking abandoned .edu subdomains via orphaned CNAME records, serving spam under trusted university domains and exploiting SEO authority.

Email Security

Cloudflare's DMARC Documentation Exposed an Unregistered Domain And Dozens of Organizations Paid the Price

How an unregistered domain in Cloudflare's DMARC documentation silently exposed infrastructure data from dozens of organizations.

Email Security

FinTech AccessPay Exposed Internal Email Infrastructure Data for Years

A misconfigured DMARC record sent sensitive email infrastructure data to an unregistered domain, creating a long-term exposure risk.

Email Security