Phishing Campaigns Exploit Cloudflare Workers to Harvest User Credentials

 

Cybersecurity researchers are raising alarms about phishing campaigns that exploit Cloudflare Workers to serve phishing sites designed to harvest user credentials associated with Microsoft, Gmail, Yahoo!, and cPanel Webmail. This attack method, known as transparent phishing or adversary-in-the-middle (AitM) phishing, employs Cloudflare Workers to act as a reverse proxy for legitimate login pages, intercepting traffic between the victim and the login page to capture credentials, cookies, and tokens, according to Netskope researcher Jan Michael Alcantara. 

Over the past 30 days, the majority of these phishing campaigns have targeted victims in Asia, North America, and Southern Europe, particularly in the technology, financial services, and banking sectors. The cybersecurity firm noted an increase in traffic to Cloudflare Workers-hosted phishing pages starting in Q2 2023, with a spike in the number of distinct domains from just over 1,000 in Q4 2023 to nearly 1,300 in Q1 2024. The phishing campaigns utilize a technique called HTML smuggling, which uses malicious JavaScript to assemble the malicious payload on the client side, evading security protections. 

Unlike traditional methods, the malicious payload in this case is a phishing page reconstructed and displayed to the user on a web browser. These phishing pages prompt victims to sign in with Microsoft Outlook or Office 365 (now Microsoft 365) to view a purported PDF document. If users follow through, fake sign-in pages hosted on Cloudflare Workers are used to harvest their credentials and multi-factor authentication (MFA) codes. "The entire phishing page is created using a modified version of an open-source Cloudflare AitM toolkit," Alcantara said. 

Once victims enter their credentials, the attackers collect tokens and cookies from the responses, gaining visibility into any additional activity performed by the victim post-login. HTML smuggling is increasingly favored by threat actors for its ability to bypass modern defenses, serving fraudulent HTML pages and other malware without raising red flags. One highlighted instance by Huntress Labs involved a fake HTML file injecting an iframe of the legitimate Microsoft authentication portal retrieved from an actor-controlled domain. This method enables MFA-bypass AitM transparent proxy phishing attacks using HTML smuggling payloads with injected iframes instead of simple links. 

Recent phishing campaigns have also used invoice-themed emails with HTML attachments masquerading as PDF viewer login pages to steal email account credentials before redirecting users to URLs hosting "proof of payment." These tactics leverage phishing-as-a-service (PhaaS) toolkits like Greatness to steal Microsoft 365 login credentials and bypass MFA using the AitM technique. The financial services, manufacturing, energy/utilities, retail, and consulting sectors in the U.S., Canada, Germany, South Korea, and Norway have been top targets. 

Threat actors are also employing generative artificial intelligence (GenAI) to craft effective phishing emails and using file inflation methods to evade analysis by delivering large malware payloads. Cybersecurity experts underscore the need for robust security measures and oversight mechanisms to combat these sophisticated phishing campaigns, which continually evolve to outsmart traditional detection systems.