Phishing Attacks Leveraging Cloudflare Pages and Modern Phishing Kits
Threat actors are increasingly abusing free web hosting services such as Cloudflare Pages to host phishing portals that impersonate banking, insurance, and healthcare organizations. These phishing sites are designed to harvest sensitive information including credentials, security questions, and multifactor authentication codes. Attackers benefit from the speed, scale, and resilience provided by free hosting, as well as the use of mainstream messaging platforms like Telegram for exfiltration, making detection and takedown efforts more challenging for defenders.
Modern phishing kits have evolved into sophisticated platforms that enable even low-skilled threat actors to deploy convincing credential-harvesting sites rapidly. These kits often include features such as admin panels, real-time credential delivery, proxy capabilities for MFA bypass, and antibot systems to evade security researchers. The accessibility and advanced capabilities of these kits, combined with the use of free hosting and messaging services, have significantly lowered the barrier to entry for large-scale phishing campaigns targeting organizations and individuals alike.
Related Entities
Threat Actors
Sources
Related Stories
Sophisticated Phishing Campaigns Leveraging Advanced Kits and Evasion Techniques
Cybercriminals are increasingly utilizing advanced Phishing-as-a-Service (PhaaS) kits to conduct large-scale, targeted phishing campaigns that impersonate trusted brands and institutions. These kits, which have doubled in number over the past year, enable even less-skilled attackers to deploy sophisticated attacks at scale by incorporating features such as URL obfuscation, MFA bypass, CAPTCHA abuse, and the use of malicious QR codes and attachments. Threat analysts have observed a surge in new PhaaS entrants, including Cephas, Whisper 2FA, and GhostFrame, alongside established kits like Tycoon 2FA and Mamba 2FA. Attackers are also leveraging AI, social engineering, and polymorphic techniques to evade detection, making it increasingly difficult for organizations to defend against these threats with static security controls alone. Technical analysis reveals that phishing infrastructure is evolving to include fake verification pages, such as counterfeit Cloudflare Turnstile challenges, which act as intelligent traffic filtering gates. These pages use browser fingerprinting, geolocation, and proxy detection to selectively deliver malicious payloads to high-confidence victims while evading security researchers and automated defenses. The fake verification pages closely mimic legitimate branding and user experience, including fabricated Ray IDs and links to real policy documents, to build trust and bypass scrutiny. Security experts recommend adopting layered defenses, including phishing-resistant MFA, continuous monitoring, and integrated email security, to counter these increasingly sophisticated phishing operations.
2 months agoMulti-Stage Phishing Campaigns Targeting Microsoft 365 and Cloud Services
A sophisticated, multi-stage phishing campaign has been observed targeting organizations globally to steal Microsoft 365 credentials. The operation, monitored since early November 2025, employs advanced evasion techniques such as nested PDFs, use of legitimate content delivery networks, and mouse tracking to bypass secure email gateways and multi-factor authentication. The final credential harvesting site is engineered to block security tools and analysts, and leverages legitimate Microsoft infrastructure to circumvent MFA, granting attackers immediate access to compromised accounts. These attacks highlight the increasing complexity of phishing operations and their ability to evade traditional security controls. In parallel, threat actors are exploiting free cloud hosting platforms like Cloudflare Pages to host convincing phishing portals impersonating banking and healthcare providers. These sites not only harvest credentials but also collect additional security information, such as answers to secret questions, and exfiltrate data via Telegram bots to evade detection. Attackers use compromised legitimate domains as redirectors, increasing the likelihood of bypassing spam filters and making takedown efforts more challenging. The convergence of advanced phishing techniques and abuse of trusted cloud services underscores the need for enhanced detection and response strategies for organizations relying on Microsoft 365 and similar platforms.
3 months agoPhishing Campaigns Leveraging Pre-Filled Login Pages and Telegram for Credential Theft
Researchers have identified sophisticated phishing campaigns targeting users of major web hosting and email services, employing advanced techniques to steal credentials and payment information. In one case, customers of Aruba S.p.A., a leading Italian web hosting provider, were targeted with phishing emails that mimicked official notifications about expiring services or failed payments. Victims were directed to fake login and payment pages, where their email addresses were pre-filled to enhance credibility. The phishing kit used in this campaign incorporated CAPTCHA filtering to evade detection and utilized Telegram bots for real-time exfiltration of stolen credentials and credit card details. A parallel campaign has been observed where users receive fake spam filter alerts, claiming that important emails have been blocked due to a supposed system upgrade. These emails, appearing to originate from the recipient's own domain, prompt users to log in via a link to a spoofed webmail page, again with pre-filled email addresses. The phishing sites employ tactics such as repeated invalid login prompts to harvest passwords and use obfuscated code and websockets for instant credential theft. In both campaigns, Telegram is used as the primary channel for attackers to receive stolen data, highlighting a trend in the use of messaging platforms for cybercriminal coordination and data exfiltration.
4 months ago