Phishing campaigns leveraging Cloudflare domains more than doubled between 2023 and 2024, Fortra revealed in a report published Monday.
Cloudflare’s Pages and Workers services, and their corresponding pages.dev and workers.dev domains, are ordinarily used by developers to test and deploy sites and applications using Cloudflare infrastructure, but can also be exploited by threat actors to host phishing pages using Cloudflare’s legitimate resources.
Cloudflare Pages allows users to host static websites for free at the pages.dev domain, delivering content through Cloudflare’s global Content Delivery Network (CDN) and providing SSL/TLS encryption, ensuring quick loading times around the world and secure HTTPS connections.
These features are beneficial to developers, but also to cybercriminals who may use the service to facilitate efficient phishing campaigns while making their malicious sites appear legitimate to both end users and URL filtering security systems.
Fortra observed attackers in the wild using pages.dev sites to redirect users to phishing sites imitating Microsoft log in-pages, spreading their redirect links through emails prompting targets to download work-related documents. In one attack, a linked PDF would redirect the user to a Microsoft OneDrive page, which further prompted the user to open a “Company Proposal” document. Clicking the “Open” button would actually send the user to a pages.dev page that would ultimately redirect to the fake log-in site.
The Fortra researchers also noted that the attacker in this campaign used bccfoldering to hide the nature of their attack, as the bcc field hides the list of recipients (i.e. the campaign’s other targets).
In 2023, Fortra’s Suspicious Email Analysis (SEA) team observed 460 incidents of phishing emails involving misuse of Cloudflare Pages, which nearly tripled in 2024 to 1,370 incidents as of mid-October. At a rate of 137 incidents per month, the total number of attacks could rise to more than 1,600 by the end of the year – a 257% increase year-over-year, the Fortra team noted.
Cloudflare Workers, which also has a free plan and provides serverless computing that enables developers to run JavaScript at the edge of the Cloudflare CDN, has also been abused by attackers to carry out phishing scams. The service makes it possible to execute code on the client side, which can greatly improve the performance of web applications but also makes it easier for attackers to evade network defenses, Fortra said.
In one example uncovered by Fortra, the attacker hosted a fake Microsoft Office365 log-in page at a workers.dev domain that also included a human verification page, similar to a CAPTCHA, to add a greater illusion of legitimacy to the phishing page, according to Fortra. Cloudflare Workers has also been used to conduct adversary-in-the-middle (AiTM) attacks in which the service acts as a reverse proxy to intercept sensitive information transmitted to an otherwise legitimate log-in page, which is mirrored to the victim via a workers.dev domain, Netskope revealed in a report earlier this year.
Just under 5,000 incidents of Cloudflare Workers being misused for phishing were detected by the Fortra SEA team in 2024, up 104% from 2,447 incidents in 2023. Should these attacks continue at the current average rate of nearly 500 attacks per month, total attacks could reach nearly 6,000 by the end of the year, Fortra reported – a total 145% increase year-over-year.
Fortra reported the instances of abuse to Cloudflare, which has already been working to combat misuse of its services through both user reporting mechanisms and its own threat and phishing detection systems.
“Despite these efforts, cybercriminals can still exploit the platform before malicious content is detected. The surge of 198% in attacks abusing Cloudflare Pages and the 104% increase in attacks on Cloudflare Workers highlight cybercriminals’ ongoing ability to discover new techniques and tactics to exploit these platforms,” the Fortra team wrote. “The risk is in how cybercriminals are misusing the service provider, and not in the technology itself.”
Fortra urgers users to be wary of any site asking for credentials or other sensitive information and to verify the legitimacy of URLs (for example, noting whether a Microsoft log-in page is hosted at a real Microsoft domain rather than one of Cloudflare’s developer domains). The Fortra team also recommends the use of two-factor authentication on user accounts and for users to report suspected phishing attempts leveraging Cloudflare domains to Cloudflare for further investigation and disruption of these campaigns.
