A sophisticated cyberattack campaign has been uncovered, where threat actors are exploiting Cloudflare’s security features to clandestinely harvest Microsoft 365 credentials. This campaign highlights a concerning trend where attackers turn protective technologies into tools for malicious activities.
The Campaign’s Tactics
Cloudflare is well-regarded for its anti-bot protections and DDoS mitigation, but its features can sometimes hinder security efforts. Attackers have leveraged these features, including human verification and IP filtering, to obfuscate their phishing sites from detection. DomainTools identified this campaign, which used the domain securedsnmail[.]com as the victim’s entry point.
After a user lands on the site, a series of gatekeeping measures, starting with Cloudflare’s human verification checks, are employed to block automated systems. The attackers then examine the visitor’s IP address against a blocklist of known security vendors, effectively bypassing scrutiny from organizations like Palo Alto Networks and FireEye.
Advanced Phishing Techniques
The phishing page also employs a user-agent inspection, dynamically serving a fake ‘404 Not Found’ error to known web crawlers, preventing indexing by search engines and security tools. Once these checks are cleared, users are led to a sophisticated credential harvesting script.
This script uses a custom virtual machine function to hide its logic, evading conventional static code analysis. If a security tool is detected during the session, the script redirects to a legitimate site like Google.com, erasing any trace of malicious activity.
Security Implications and Recommendations
The malicious sites, hosted on Cloudflare and registered through Namecheap, share a static Cloudflare Turnstile sitekey. This identifier could potentially help security teams track and neutralize similar threats across platforms like Shodan and Censys.
Indicators of compromise in this campaign include domains such as securedsnmail[.]com and suitetosecured[.]com. The campaign stresses the need for service providers to implement robust Know Your Customer (KYC) measures and refine their defensive features to prevent misuse.
As cybercriminals become adept at manipulating legitimate platforms, it’s crucial for these platforms to adopt proactive security measures alongside traditional defenses.
Stay informed about the latest cybersecurity developments by following us on Google News, LinkedIn, and X. Contact us to share your stories.
