Cybersecurity researchers have raised an alarm over phishing campaigns leveraging Cloudflare Workers to deploy fraudulent sites aimed at harvesting user credentials linked to Microsoft, Gmail, Yahoo!, and cPanel Webmail. This method, termed transparent phishing or adversary-in-the-middle (AitM) phishing, employs Cloudflare Workers as reverse proxy servers to intercept traffic between victims and legitimate login pages, capturing sensitive information such as credentials and cookies. Over the past 30 days, a surge in phishing campaigns hosted on Cloudflare Workers has been observed, primarily targeting victims in Asia, North America, and Southern Europe, spanning various sectors including technology and financial services.
The phishing campaigns utilize HTML smuggling, a technique employing malicious JavaScript to assemble fraudulent payloads on the client side, evading traditional security measures. Particularly concerning is the manipulation of login pages for Microsoft Outlook or Office 365, enticing victims with offers to view supposed PDF documents, leading to the harvesting of credentials and multi-factor authentication codes. The creation of these phishing pages involves the use of a modified version of an open-source Cloudflare AitM toolkit, enabling attackers to collect web request metadata and intercept sensitive information entered by victims.
Moreover, cybercriminals are increasingly relying on HTML smuggling payloads to deliver fraudulent HTML pages and other malware, exploiting loopholes in security defenses. Examples include injecting an iframe of the legitimate Microsoft authentication portal retrieved from an actor-controlled domain. Email-based phishing attacks have also diversified, with adversaries leveraging phishing-as-a-service (PhaaS) toolkits to steal Microsoft 365 login credentials, evade multi-factor authentication, and incorporate QR codes within PDF files. This escalation in cyber threats underscores the importance of robust security measures and ongoing vigilance to combat evolving tactics employed by malicious actors.
