A recent Microsoft 365 credential harvesting campaign shows how attackers are exploiting CloudFlare’s protective features to shield malicious phishing sites from security scanners and threat researchers.
CloudFlare is widely used by organizations to improve website performance and protect against attacks such as bots, DDoS, and automated scanning.
However, these same protections can also unintentionally benefit malicious actors who host phishing pages behind the service.
Security researchers recently identified a phishing campaign targeting Microsoft 365 users that takes advantage of CloudFlare’s anti-bot and verification systems.
The attackers use multiple anti-detection mechanisms to ensure that only real victims can access the credential-stealing pages.
CloudFlare Used as a Protective Shield
The campaign begins with a phishing domain hosted behind CloudFlare infrastructure.
Example domain observed in the campaign:
- securedsnmail[.]com.
- https[:]//securedsnmail[.]com/secdex.html.
When users visit the site, they first encounter a CloudFlare human verification page. This step is designed to block automated scanners and security tools before they can analyze the malicious content.
![securedsnmail[.]com (Source : DomainTools).](https://cdn.prod.website-files.com/6941445776ba1afe6af83186/69b1cf5afe4b476c542099d4_31d6b69b.png)
Once the verification process is completed, the victim is redirected to the next stage of the attack.
The attackers implemented several gatekeeping techniques to prevent security systems from identifying the phishing site.
These include:
- CloudFlare uses human verification to block automated scanning tools.
- IP filtering using data from api.ipify[.]org to identify the visitor’s IP address.
- Hardcoded blocklists that exclude IP ranges belonging to security companies such as Palo Alto Networks, FireEye, AWS, and Google Cloud platforms.
- User‑agent inspection to detect bots and crawlers such as Googlebot, Bingbot, AhrefsBot, and Twitterbot.
If a security scanner or bot is detected, the site automatically displays a fake “404 Not Found” page. This prevents the domain from being indexed by search engines or flagged by security monitoring tools.
Obfuscated Credential Harvesting
The actual credential theft logic is heavily obfuscated to avoid detection during static analysis.
Instead of using standard JavaScript, the phishing kit uses a custom virtual machine function that executes encoded instructions. This makes it difficult for analysts to identify the data exfiltration logic or command‑and‑control infrastructure.
If the visitor passes all gatekeeping checks, the script generates a phishing redirect URL similar to:
https[:]//office.suitetosecured[.]com/KuPbXodA?b=cGjQKg4&auth={}
The generated auth parameter appears to track the victim and confirm that they successfully passed the verification process before reaching the Microsoft 365 credential harvesting page.
Researchers also discovered a common CloudFlare Turnstile configuration across multiple phishing domains.
The campaigns used a static Turnstile sitekey:
0x4AAAAAACG6TJhrsuZdpjsN
The identifier CG6TJhrsuZdpjsN likely corresponds to a specific CloudFlare account configuration. Security teams can use this key to search platforms such as Shodan, Censys, and URLScan to identify additional phishing domains linked to the same infrastructure.
Infrastructure Patterns
Several shared infrastructure indicators were observed across the campaign:
- Nameservers: cloudflare.com.
- Registrar: Namecheap.
- MX hosts: registrar-servers[.]com, jellyfish[.]systems.
- Hosting ISP: CloudFlare Inc.
These commonalities suggest a coordinated phishing framework designed to quickly deploy new domains when older ones are detected.
This campaign highlights a growing challenge in cybersecurity. Attackers are increasingly hiding behind legitimate security and content delivery platforms that are designed to protect websites from abuse.
While services like CloudFlare provide critical protection for millions of legitimate websites, their infrastructure can also slow the detection of malicious campaigns when attackers exploit built‑in anti‑bot and verification features.
Security researchers say stronger customer verification and abuse monitoring by service providers may help reduce the misuse of these platforms for phishing and credential harvesting operations.
IOCs
| securedreach[.]com | wirelessmailsent[.]com |
| suitecorporate[.]com | suitetosecured[.]com |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
