By rssfeeds-admin 
The campaign demonstrates a growing and troubling trend: threat actors turning the very tools designed to defend websites into shields for malicious infrastructure.
Platforms like Cloudflare are widely trusted for their anti-bot protections, content delivery capabilities, and DDoS mitigation. However, these same features, including human verification checks, IP filtering, and user-agent inspection, can inadvertently obstruct security researchers and automated scanning tools from identifying malicious sites in a timely manner. Attackers in this campaign exploited exactly that blind spot.
The campaign uncovered by Domaintools was anchored by the domain securedsnmail[.]com, which served as the initial entry point for victims. Once a user landed on the page, a multi-layered gatekeeping system went to work before any credential theft occurred.
The site’s first line of defense was a Cloudflare human verification (Turnstile) check, which immediately filtered out automated crawlers. But the attackers didn’t stop there.
The phishing page also queried the visitor’s IP address via api.ipify[.]org and cross-referenced it against a hardcoded blocklist that included IP ranges belonging to major security vendors such as Palo Alto Networks and FireEye, as well as cloud infrastructure from AWS and Google.
If a visitor’s browser carried a suspicious user-agent string, such as those associated with Googlebot, Bingbot, AhrefsBot, or Twitterbot, the page would dynamically replace itself with a convincing fake “404 Not Found” error, preventing the site from being indexed or flagged by security scanners.
Any visitor who cleared these checks was then funneled through an obfuscated credential harvesting script. The core theft logic was concealed inside a custom virtual machine function (e_d007dc) that interpreted an array of encoded instructions, making static code analysis ineffective.
If the gatekeeping logic detected a security tool mid-session, the VM quietly redirected the destination URL to a legitimate domain, such as Google.com, neutralizing any forensic footprint.
According to the DomainTools report, victims who passed all checks were redirected to the actual phishing URL — formatted as https[:]//office.suitetosecured[.]com/KuPbXodA?b=cGjQKg4&auth={} — which mimicked a Microsoft 365 login page designed to capture credentials in real time.
Researchers noted that all phishing sites identified in this campaign shared the same Cloudflare Turnstile sitekey: 0x4AAAAAACG6TJhrsuZdpjsN.
Because this key is a static identifier tied to a specific Cloudflare dashboard configuration, security teams may be able to pivot on it across platforms like Shodan, Censys, and URLScan to proactively discover newly registered phishing infrastructure before it is deployed in active campaigns.
All domains in the campaign were registered through Namecheap, hosted on Cloudflare’s IP infrastructure, and shared nameservers pointing to cloudflare.com.
Indicators of Compromise
- securedsnmail[.]com
- securedreach[.]com
- wirelessmailsent[.]com
- suitecorporate[.]com
- suitetosecured[.]com
This campaign underscores the urgent need for service providers like Cloudflare to strengthen their Know Your Customer (KYC) processes and build mechanisms that prevent their defensive features from being weaponized against the broader security community.
As attackers grow more sophisticated in their abuse of legitimate platforms, proactive platform accountability becomes just as critical as endpoint defenses.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Hackers Leveraging Cloudflare Anti-Bot Features to Steal Microsoft 365 Credentials appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.