How Threat Actors Exploit Redirect Chains to Bypass Spam Filters

September 25, 2025

Riddle Technologies platform enabled malicious redirect chains, leading victims through CAPTCHA to Gmail credential-harvesting pages.

Email Security
Email Security
2
min read
How Threat Actors Exploit Redirect Chains to Bypass Spam Filters

Threat actors leveraged the Riddle Technologies AG platform to obfuscate malicious URLs in email and bypass spam filters. The email template mimicked an encrypted Mimecast message: shconsult.ing/njZs4vtm

All embedded links redirected to an intermediary landing page hosted on Riddle and from there, pointing to a phishing page hosted at the .sa[.]com TLD, managed by CentralNic Registry: shconsult.ing/81QRbk2w

Victims clicking "sign documents" were routed through CAPTCHA before reaching a credential harvesting page impersonating Gmail login: shconsult.ing/f48zvJb5

The campaign employed redirect chains, abusing legitimate infrastructure to obscure malicious endpoints.

Forensic analysis indicates the spoofed domain has been active for at least 26 days: shconsult.ing/45x9g0c3

Email Security
Cybersecurity
Phishing
Spoofing
Scam
Related posts
All posts
Google.com Scam Sent via Gmail API - DMARC Passed, No Account Compromise

A scam email sent from @google.com passed SPF, DKIM, and DMARC without a compromised account. Here’s what it reveals about modern email threats.

Google.com Scam Sent via Gmail API - DMARC Passed, No Account Compromise
Email Security
When Vendors Control Your DNS: A Hidden DMARC Security Risk

A real-world example of how third-party DNS control can silently block DMARC visibility, redirect domain telemetry, and introduce serious email security and data exposure risks.

When Vendors Control Your DNS: A Hidden DMARC Security Risk
Email Security
2.3 million emails. One exposed API key. $10K bill.

How DMARC forensics exposed an API key leak, 2.3M unauthorized emails, and a $10K bill.

2.3 million emails. One exposed API key. $10K bill.
Email Security