Most of us have clicked the familiar “prove you are human” box from Cloudflare while browsing the web. Now attackers are using that same security feature as cover for a new type of cyberattack.
According to a new report from the research firm DomainTools, scammers are now hijacking Cloudflare’s security tools to hide fake Microsoft 365 login pages from the very experts trying to shut them down.
The trick is as simple as it is effective. When a victim clicks a link to a malicious site, such as securedsnmail.com in this case, they hit a ‘Turnstile’ verification check. This, as we know it, is meant to stop bots, but here it acts as a filter to keep out security scanners.
Further probing of the site’s code revealed it even fetches a visitor’s location using api.ipify.org to check it against a ‘who’s who’ blocklist of the tech world. This list includes Palo Alto Networks, FireEye, Google, and Amazon.
If the site thinks you are a security professional or a bot like Googlebot or Twitterbot, it pulls a vanishing act. The page instantly swaps itself for a fake “404 Not Found” message, provided the scam isn’t indexed or flagged.
Scrambled Code and Hidden Tracks
Even if you pass the human test, the real danger is buried deep. According to DomainTools’ report, hackers aren’t using standard web code; they have built a custom virtual machine function, specifically named e_d007dc, to run scrambled instructions. This makes it nearly impossible for basic antivirus software to detect the theft happening in the background.
It is worth noting that if the site’s gatekeeper catches a suspicious visitor mid-session, the system automatically redirects them to a legitimate site like Google.com. It is a clean getaway that leaves no forensic trail.
However, researchers did find one major slip-up: a static ‘sitekey’ (0x4AAAAAACG6TJhrsuZdpjsN) was found across multiple domains, including suitecorporate.com and suitetosecured.com. This digital fingerprint is now helping teams track the group’s infrastructure, which often relies on Namecheap for registration and mail servers like jellyfish.systems.
Let’s take this campaign as a reminder that the tools built to protect us can easily become shields for criminals. The best protection remains common sense; always check the address bar before typing a password, especially if a site seems a little too desperate to prove you’re human first.
