Fortra has observed a rising trend in legitimate service abuse, with a significant volume of attacks targeting Cloudflare Pages. Workers.dev is a domain used by Cloudflare Workers’ deployment services, while Pages.dev is used by Cloudflare’s Pages platform that facilitates the development of web pages and sites. Fortra’s Suspicious Email Analysis (SEA) team has identified different threats being hosted on this platform, including attacks such as phishing redirects, phishing pages and targeted email lists. This blog will discuss these attacks in detailed analysis, including examples of observed attack campaigns, and provide statistics that analyze the latest trends in the cyber threat landscape.
Fortra has reported this abuse to Cloudflare and will continue to do so.
Why Is Cloudflare Abuse Increasing?
Cloudflare Pages is a platform used to deploy web pages and is enticing to both legitimate developers and threat actors for most of the same reasons. The platform’s strong reputation, combined with their trusted branding, is attractive for attackers to exploit as it allows them to set up fake sites that appear legitimate by leveraging Cloudflare's infrastructure to deceive victims. Cloudflare’s global CDN ensures that phishing sites load quickly and reliably across regions, which increases the effectiveness and reach of attack campaigns. Additionally, the service provider offers free and easy-to-use hosting, enabling cybercriminals to quickly deploy phishing sites with minimal resources or technical skills. Cloudflare’s automatic SSL/TLS encryption also adds a layer of legitimacy to these phishing sites, as users are more likely to trust sites with secure HTTPS connections. Finally, attackers can leverage custom domains and URL masking to increase the authenticity of phishing sites, while Cloudflare’s reverse proxying renders it difficult for security controls to trace the origin of malicious content.
Cloudflare Pages Threats
Fortra frequently observes phishing redirects utilizing Cloudflare’s Pages.dev sites. Phishing redirects are carried out to conceal the phishing URL from detection by evading security measures. This attack tactic increases the likelihood of success in a phishing campaign as it deceives the user into believing they are clicking on a trusted link. These phishing campaigns tend to begin with an email, such as the example below, where the victim receives a request to review or download a document. The URL will typically download a fraudulent PDF document that contains a phishing redirect.The next identified pattern is the use of bccfoldering as the primary method for sending these phishing emails rather than the cc field. Unlike the cc field, which displays the recipients, bccfoldering hides the recipients by adding them only to the email envelope, not the headers. This makes the recipients undetectable unless the server is configured to reveal them. This tactic is used by the adversary to conceal the scale of the phishing campaign, as concealed recipients can make it difficult to detect how large the phishing campaign is.
In this specific example, clicking on the “Review Now” button will lead the user to a Microsoft OneDrive page that asks the user to download another document claiming to be a Company Proposal. The attacker leverages the Microsoft OneDrive page to increase the credibility of the fraudulent document. Since Microsoft is widely used for sharing work related files, this tactic increases the likelihood of tricking the victim into downloading the fraudulent document. When hovering over the “Open” button, a malicious Cloudflare Pages URL is visible which redirects the user to the final page of the phishing attack.
The redirect URL leads the user to a Microsoft Office365 credential theft page where the victim’s credentials will be harvested. Harvested credentials may expose organizations to various risks such as data breaches, business email compromise, malware deployment, lateral movements, and privilege escalation.
Cloudflare Workers Threats
Cloudflare Workers is a serverless computing platform offered by Cloudflare that allows developers to deploy and run JavaScript code directly at the edge of Cloudflare's CDN. This enables them to execute code client-side, on the user’s device rather than on a server, reducing latency and improving performance for web applications.
Cloudflare Workers, while designed to enhance web performance and security, can be exploited for malicious purposes. Attackers can exploit this platform to conduct Distributed Denial of Service (DDoS) attacks, deploy phishing sites, exfiltrate sensitive user data, execute malicious redirects, inject harmful scripts, bypass security controls, or automate various attacks like brute-force login attempts.
In the screenshot below, Cloudflare Workers was used to create a human verification page before redirecting the user to a Microsoft Office365 phishing attack. A human verification page can help a phishing attack appear more legitimate by mimicking familiar security practices, such as CAPTCHA, which tend to be used on legitimate websites. This creates a false sense of trust that may distract the victim from identifying signs of a phishing attack. As a result, victims are more likely to enter their Microsoft Office365 credentials, and other personally identifiable information (PII), without suspicion.
Cloudflare Threat Statistics
Fortra’s SEA team has observed a 198% increase in phishing attacks on Cloudflare Pages, rising from 460 incidents in 2023 to 1,370 incidents as of mid-October 2024. With an average of approximately 137 incidents per month, the total volume of attacks is expected to surpass 1,600 by year-end, representing a projected year-over-year increase of 257%.
Much like Cloudflare Pages, threats utilizing Cloudflare Workers have also experienced a significant increase. We have witnessed a 104% surge in phishing attacks on this platform, climbing from 2,447 incidents in 2023 to 4,999 incidents year-to-date. Currently averaging 499 incidents per month, the total volume is expected to reach almost 6,000 by year-end, reflecting a projected 145% increase compared to the previous year.
Cloudflare has several security measures in place to combat abuse, including threat detection systems, phishing detection, and user reporting mechanisms to take down malicious content. Despite these efforts, cybercriminals can still exploit the platform before malicious content is detected. The surge of 198% in attacks abusing Cloudflare Pages and the 104% increase in attacks on Cloudflare Workers highlight cybercriminals’ ongoing ability to discover new techniques and tactics to exploit these platforms. The risk is in how cybercriminals are misusing the service provider, and not in the technology itself.
Users can protect themselves from phishing by following several best practices. First, they should be cautious when interacting with unfamiliar websites, especially those requesting personal or sensitive information. Verifying the legitimacy of URLs and ensuring that the domain matches the expected source can help identify signs of a phishing attack. Additionally, enabling two-factor authentication (2FA) adds an extra layer of security to user accounts. Developers using Cloudflare Pages should implement strong security measures such as regularly updating their site’s dependencies, using HTTPS for secure connections, and monitoring for suspicious activity. It's also important to report any phishing attempts or malicious activity to Cloudflare for further investigation and takedown, helping to prevent wider abuse from spreading.
Discover how Fortra’s Email Security can help your organization remain vigilant in the face of these evolving threats.