Trustwave SpiderLabs details a surge in phishing campaigns that abuse Cloudflare R2 public buckets (r2.dev) to host malicious links. The campaigns combine impersonation of legitimate brands, fake login pages, and base64-obfuscated redirects, with thousands of r2.dev URLs observed across VirusTotal.
Keypoints
- Cloudflare R2 public buckets are being abused to host phishing URLs, particularly those starting with https://pub-{32 Hexadecimal String}.r2.dev/.
- Over 2,000 phishing emails in 60 days were observed that use r2.dev links, with subjects like “Statement Paid,” “upgrade mail,” and “purchase order.”
- The phishing emails imitate legitimate brands (e.g., Adobe Acrobat) and use deceptive From headers to appear legitimate.
- Phishing pages imitate real sites (e.g., a fake Adobe site) and use Ajax-based forms to post credentials to another phishing URL.
- The source code shows base64 obfuscation (atob) to redirect victims to credential-phishing pages.
- VirusTotal telemetry shows more than 25,000 r2.dev phishing URLs in the last 60 days with multiple vendor detections.
MITRE Techniques
- [T1566.002] Phishing: Spearphishing Link – The clickable link hxxps://pub-5e34bcda437b499399d6abc116886480[.]r2[.]dev/indexR[.]html in the phishing email leads to a phishing site that imitates Adobe.
- [T1036] Masquerading – The phishing email sample mimics the Adobe Acrobat based on the header where the email address didn’t come from a legitimate Adobe Acrobat.
- [T1027] Obfuscated/Compressed Files and Information – The source-code of this phishing URL uses an atob method for the base64 encoding of the redirection to the URL where the stolen credentials will be posted.
Indicators of Compromise
- [URL] context – hxxps://pub-5e34bcda437b499399d6abc116886480[.]r2[.]dev/indexR[.]html, hxxps://pub-3f02c99abcf44a4b92babb3b3c5356d6[.]r2[.]dev/index[.][email protected], and 6 more URLs
- [Domain] context – r2.dev, regionalmanagers-my.sharepoint.com, and 2 more domains