By rssfeeds-admin 
However, this same functionality is increasingly being exploited by malicious actors to shield their activities from detection.
A recent campaign targeting Microsoft 365 login credentials has highlighted vulnerabilities in this defensive dynamic, where attackers use Cloudflare tools to mask their malicious intentions, making it harder for security systems to flag their operations.
The Cloudflare Dynamic and Attack Flow
The recent credential-harvesting campaign began with a fake website, securedsnmail[.]com, that masquerades as a legitimate service.
To bypass automated security tools, the site uses Cloudflare’s human verification to ensure that only real users, not security tools, can access the malicious content. This is the first layer of gatekeeping.
Once a user passes the human verification, the site employs aggressive IP and user-agent filtering. The site checks the visitor’s IP address against a hardcoded blocklist of known security firms and cloud service providers, including Palo Alto, FireEye, and AWS.
If the visitor’s IP matches one of these, the page displays a “404 Not Found” message to deter scanning bots. It also examines the user’s browser, filtering out common bots like Googlebot and Bingbot to avoid detection.
The real sophistication of this attack lies in its obfuscation techniques. Rather than using standard JavaScript for credential harvesting, the malware relies on a custom VM function that decodes an encrypted array of instructions, making static analysis nearly impossible.
By dynamically updating the URL to legitimate domains (such as Google.com) if it detects security checks, the attacker ensures the malicious activity goes unnoticed.
Obfuscated Credential Harvesting and Target Sites
The attack heavily relies on Cloudflare’s Turnstile CAPTCHA feature, which assigns a static site key that can be reused across phishing campaigns.
The sitekey is a unique identifier tied to Cloudflare’s dashboard. Security teams can leverage it to track phishing sites across telemetry sources such as Shodan or URLScan.
The use of Cloudflare’s Turnstile as a legitimate verification mechanism makes it difficult for security systems to distinguish between real user traffic and malicious attempts to harvest credentials.
This abuse of Cloudflare’s infrastructure not only complicates detection but also raises questions about service providers’ responsibility to prevent such misuse.
The use of Cloudflare’s security and content delivery tools by cybercriminals is a growing concern.
While these platforms are designed to protect legitimate businesses, their inherent features can be exploited by malicious actors, delaying attack detection and hindering risk assessments.
This Microsoft 365 credential theft campaign illustrates how such defenses can be turned against security professionals.
It highlights the need for service providers to be more proactive in monitoring and ensuring that their security features are not being leveraged for malicious purposes.
As these attackers continue to innovate, cybersecurity teams need to adopt advanced detection capabilities that go beyond traditional static analysis.
Identifying domaintools malicious activity on legitimate services like Cloudflare requires a multifaceted approach, including behavioral analysis, anomaly detection, and vigilance in tracking known indicators of compromise (IOCs).
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Credential Theft Surge As Attackers Exploit Cloudflare Anti‑Security appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.