New Phishing Attack Exploits Cloudflare R2 Hosting Service to Steal Cloud Passwords

The Cloudflare R2 hosting service like the following platforms, which provides a cost-effective large-scale data storage platform to developers with no exit bandwidth charges:-

  • Amazon S3
  • Google GCS
  • Azure Blob Storage

For beta testing, the Cloudflare R2 was initially launched in May 2022, and in August 2022, Cloudflare launched its R2 cloud hosting service publicly.

The cybersecurity analysts at Netskope Threat Labs recently noted a shocking 61-fold surge in traffic to Cloudflare R2-hosted phishing pages from February to July 2023.

Mostly focused on Microsoft credentials, these phishing campaigns also encompass other cloud apps like:-

  • Adobe
  • Dropbox

However, the prime targets of these phishing campaigns are primarily from North America and Asia across various sectors and industries like:-

  • Technology
  • Financial services
  • Banking sectors

Phishing pages

For the distribution of the phishing pages, threat actors behind these phishing campaigns exploit Cloudflare R2’s free hosting service. While apart from this, with the help of two exceptional techniques, the operators evade the scanners and URL analyzers.

To prevent unwanted access and protect the pages, they implement a CAPTCHA with the help of Cloudflare Turnstile. 

Additionally, malicious content loads only when supported by another harmful source, targeting specific victims.

Cloudflare Turnstile (Source – Netskope)

It’s been urged that users must look out for URLs with the following pattern since threat actors take advantage of Clouflare’s free subdomain:-

  • https[:]//pub-<32_alphanumeric_string>[.]htm
Microsoft phishing page (Source – Netskope)

Phishing Page With Cloudflare R2

In addition to abusing the Cloudflare Turnstile, some phishing sites delay the presentation of the page until meeting specific criteria.

A timestamp after a hash in the referring site’s URL unveils the page while lacking a parameter redirects to “” 

So, this dual action hides the malicious intent of the threat actor, safeguarding against scanners and enabling them to target the victims precisely.

For the real phishing page, a timestamp from the referrer is a must, as direct access shows a custom error message.

Error Message (Source – Netskope)

To identify the bot-crawled phishing pages, the phishing site deploys an open-source bot detection library, “Fingerprint BotD.” Upon detection of the bot on the page,  the following custom error message is sent:-

  • ERROR CODE 102 or 99


Here below, we have mentioned all the recommendations provided by the experts at Netskope:-

  • To prevent malicious site visits, make sure to properly monitor all the HTTP and HTTPS traffic.
  • To block known phishing and scam sites, deploy a robust URL filtering policy.
  • Ensure the implementation of a proper threat protection policy.
  • Make sure to use RBI (Remote Browser Isolation) technology for an additional layer of protection.

Keep informed about the latest Cyber Security News by following us on GoogleNewsLinkedinTwitter, and Facebook.

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.