Because they create an intermediate step that looks ordinary to scanners and users before the real credential page appears. If security controls only inspect the first click or final domain, they miss the detection bypass. Teams need to evaluate the entire path, including CAPTCHA pages, shorteners, and embedded forms.
Why This Matters for Security Teams
Legitimate form services, CAPTCHA gates, link shorteners, and embedded survey tools are effective because they borrow trust from widely used business infrastructure. Security tools often classify them as low risk when the first hop is a reputable domain, even though the real objective is to move a target into a credential harvest flow later in the path. That creates a detection gap between URL reputation and user intent, which is exactly where modern phishing campaigns hide. NHI Management Group’s Ultimate Guide to NHIs — Key Challenges and Risks notes that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, a reminder that abuse often begins with infrastructure that appears legitimate. Current guidance from the NIST Cybersecurity Framework 2.0 supports looking beyond a single indicator and evaluating the full path of trust. In practice, many security teams encounter these campaigns only after users have already progressed through the benign-looking intermediary step rather than through intentional blocklists.
How It Works in Practice
Attackers use ordinary SaaS services to create a staged delivery chain. The first page may be a form, survey, file request, or human-verification screen that looks harmless to automated scanners. A later redirect, embedded script, or uploaded field then presents the actual credential prompt. That means a verdict based only on the first URL, reputation score, or screenshot is incomplete. The relevant question is not “is this domain trusted?” but “what sequence of actions is this page enabling?”
Operationally, teams need to inspect the entire navigation path and preserve context across hops. Useful controls include:
- Detonating links in a sandbox that follows redirects, scripts, and form submissions.
- Logging intermediate pages, not just the final destination.
- Scoring domains and embedded resources separately, since a trusted wrapper can host risky content.
- Watching for CAPTCHA, shorteners, and survey tools used as delay tactics before login harvesting.
- Correlating the message source, form host, and landing page rather than treating them as isolated events.
This is where NHI thinking helps. Legitimate services often run on API keys, service accounts, and automation tokens, so defenders should assume the page itself may be a non-human identity operated workflow rather than a static website. The Top 10 NHI Issues resource is useful here because it frames visibility and lifecycle control as first-class security problems, not back-office hygiene. Teams also need to map these campaigns to the broader governance model described in the NHI Lifecycle Management Guide, especially where third-party automation and shared tokens are in play. These controls tend to break down when mail gateways or secure web proxies cannot execute interactive flows and therefore never observe the post-form credential stage.
Common Variations and Edge Cases
Tighter inspection of multi-step links often increases user friction and alert volume, so teams must balance stronger detection against the risk of blocking legitimate business workflows. That tradeoff matters because many of the same services are used for sales forms, HR intake, customer support, and event registration, which means blanket blocking is rarely sustainable.
Best practice is evolving, and there is no universal standard for this yet. Some organisations treat all form-hosting or short-link services as risky by default, while others apply conditional access based on sender reputation, brand context, and user population. The right answer usually depends on whether the organisation can safely render and evaluate interactive content at scale. For high-risk cohorts, the stronger approach is to require real-time analysis of every redirect and submitted field, not just the initial domain. For broader populations, security teams may need allowlists with tight monitoring, plus alerting on unusual form-to-login transitions. The practical lesson is that “legitimate service” does not equal “safe message,” especially when the service is being used as a delivery wrapper for a later credential prompt.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Covers deceptive multi-step interactions that hide malicious intent behind benign tools. | |
| CSA MAESTRO | Addresses trust boundaries and runtime evaluation across chained services and automations. | |
| NIST AI RMF | Supports risk evaluation based on context and downstream impact rather than static indicators. |
Evaluate each interaction step, not just the first URL, before allowing the workflow to continue.
Related resources from NHI Mgmt Group
- Why do legitimate admin tools make identity attacks harder to detect?
- Why do AI-generated lures make phishing harder to stop?
- Why do link shorteners make phishing harder to stop in enterprise environments?
- How should security teams detect phishing that comes from legitimate Microsoft identity workflows?
