Phishing Attacks Leveraging Cloudflare Pages and Modern Phishing Kits
Threat actors are increasingly abusing free web hosting services such as Cloudflare Pages to host phishing portals that impersonate banking, insurance, and healthcare organizations. These phishing sites are designed to harvest sensitive information including credentials, security questions, and multifactor authentication codes. Attackers benefit from the speed, scale, and resilience provided by free hosting, as well as the use of mainstream messaging platforms like Telegram for exfiltration, making detection and takedown efforts more challenging for defenders.
Modern phishing kits have evolved into sophisticated platforms that enable even low-skilled threat actors to deploy convincing credential-harvesting sites rapidly. These kits often include features such as admin panels, real-time credential delivery, proxy capabilities for MFA bypass, and antibot systems to evade security researchers. The accessibility and advanced capabilities of these kits, combined with the use of free hosting and messaging services, have significantly lowered the barrier to entry for large-scale phishing campaigns targeting organizations and individuals alike.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Flare identifies live cloud-native phishing infrastructure targeting major platforms
Flare Research reported live phishing operations targeting Gmail, Facebook, and Microsoft 365 using BitM, AiTM, and reverse-proxy techniques to steal sessions and bypass MFA. The investigation found scalable, automated infrastructure across multiple hosting providers, shared IOCs, and reported findings to relevant CERTs.
Research documents mature phishing-kit ecosystem and Telegram-enabled operations
Analysis published on phishing kits described a mature Phishing-as-a-Service market with subscription pricing, Telegram-based distribution and exfiltration, and tools such as Evilginx and EvilProxy enabling AiTM attacks and MFA bypass. The research highlighted rapid redeployment, short-lived infrastructure, and phishing's continued role as a major initial access vector.
Threat actors begin abusing Cloudflare Pages for phishing portals
A phishing campaign used the free Cloudflare Pages service to host fake login pages impersonating banking, insurance, and healthcare organizations. The operation also used compromised redirectors and Telegram-based exfiltration to steal credentials, security answers, and MFA codes while evading traditional detection.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Hunting for Live Phishing Infrastructure Based on Cybercrime Intelligence
flare.io
Open sourceWarning: Phishing Attacks Abuse Free Cloudflare Pages
blog.knowbe4.com
Open sourcePhishing Kits: An Interactive Deepdive
flare.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Sophisticated Phishing Campaigns Leveraging Advanced Kits and Evasion Techniques
Cybercriminals are increasingly utilizing advanced Phishing-as-a-Service (PhaaS) kits to conduct large-scale, targeted phishing campaigns that impersonate trusted brands and institutions. These kits, which have doubled in number over the past year, enable even less-skilled attackers to deploy sophisticated attacks at scale by incorporating features such as URL obfuscation, MFA bypass, CAPTCHA abuse, and the use of malicious QR codes and attachments. Threat analysts have observed a surge in new PhaaS entrants, including Cephas, Whisper 2FA, and GhostFrame, alongside established kits like Tycoon 2FA and Mamba 2FA. Attackers are also leveraging AI, social engineering, and polymorphic techniques to evade detection, making it increasingly difficult for organizations to defend against these threats with static security controls alone. Technical analysis reveals that phishing infrastructure is evolving to include fake verification pages, such as counterfeit Cloudflare Turnstile challenges, which act as intelligent traffic filtering gates. These pages use browser fingerprinting, geolocation, and proxy detection to selectively deliver malicious payloads to high-confidence victims while evading security researchers and automated defenses. The fake verification pages closely mimic legitimate branding and user experience, including fabricated Ray IDs and links to real policy documents, to build trust and bypass scrutiny. Security experts recommend adopting layered defenses, including phishing-resistant MFA, continuous monitoring, and integrated email security, to counter these increasingly sophisticated phishing operations.
Mar 21, 2026
Multi-Stage Phishing Campaigns Targeting Microsoft 365 and Cloud Services
A sophisticated, multi-stage phishing campaign has been observed targeting organizations globally to steal Microsoft 365 credentials. The operation, monitored since early November 2025, employs advanced evasion techniques such as nested PDFs, use of legitimate content delivery networks, and mouse tracking to bypass secure email gateways and multi-factor authentication. The final credential harvesting site is engineered to block security tools and analysts, and leverages legitimate Microsoft infrastructure to circumvent MFA, granting attackers immediate access to compromised accounts. These attacks highlight the increasing complexity of phishing operations and their ability to evade traditional security controls. In parallel, threat actors are exploiting free cloud hosting platforms like Cloudflare Pages to host convincing phishing portals impersonating banking and healthcare providers. These sites not only harvest credentials but also collect additional security information, such as answers to secret questions, and exfiltrate data via Telegram bots to evade detection. Attackers use compromised legitimate domains as redirectors, increasing the likelihood of bypassing spam filters and making takedown efforts more challenging. The convergence of advanced phishing techniques and abuse of trusted cloud services underscores the need for enhanced detection and response strategies for organizations relying on Microsoft 365 and similar platforms.
Mar 21, 2026
Phishing Campaigns Leveraging Pre-Filled Login Pages and Telegram for Credential Theft
Researchers have identified sophisticated phishing campaigns targeting users of major web hosting and email services, employing advanced techniques to steal credentials and payment information. In one case, customers of Aruba S.p.A., a leading Italian web hosting provider, were targeted with phishing emails that mimicked official notifications about expiring services or failed payments. Victims were directed to fake login and payment pages, where their email addresses were pre-filled to enhance credibility. The phishing kit used in this campaign incorporated CAPTCHA filtering to evade detection and utilized Telegram bots for real-time exfiltration of stolen credentials and credit card details. A parallel campaign has been observed where users receive fake spam filter alerts, claiming that important emails have been blocked due to a supposed system upgrade. These emails, appearing to originate from the recipient's own domain, prompt users to log in via a link to a spoofed webmail page, again with pre-filled email addresses. The phishing sites employ tactics such as repeated invalid login prompts to harvest passwords and use obfuscated code and websockets for instant credential theft. In both campaigns, Telegram is used as the primary channel for attackers to receive stolen data, highlighting a trend in the use of messaging platforms for cybercriminal coordination and data exfiltration.
Mar 21, 2026