Three Security Wrappers, One Redirect to a Google Docs Phishing Page

A high-severity credential-harvesting phishing campaign impersonated an internal document share, routing a single CTA through Oracle EdgePilot and Barracuda LinkProtect to an attacker-controlled domain and finally to a Google Slides payload; the message failed SPF/DKIM/DMARC but was still delivered to the inbox due to intermediary relay behavior, and IRONSCALES' Themis flagged it at 84% confidence. The report includes MITRE mappings and IoCs (sender, redirect domain, wrappers, sending IPs) and highlights how link-protection services were abused as camouflage.