ANY.RUN reports that phishing kits are increasingly hosted on legitimate cloud and CDN platforms (Cloudflare, Microsoft Azure, Google Firebase, AWS), allowing attackers to hide malicious infrastructure behind trusted services and evade traditional detection. This trend — driven by kits like Tycoon2FA, Sneaky2FA, and EvilProxy and techniques such as AiTM and reverse-proxying — reduces the usefulness of IPs, TLS fingerprints, and certificates for enterprise detection. #Tycoon2FA #Cloudflare
Keypoints
- Phishing campaigns increasingly use legitimate cloud/CDN platforms (Cloudflare, Azure, Google Firebase, AWS) to host malicious pages and hide origin infrastructure.
- Adversary-in-the-middle (AiTM) and reverse-proxy phishing kits (Tycoon2FA, Sneaky2FA, EvilProxy) are focused on bypassing MFA and targeting enterprise accounts, not just consumer emails.
- Attack chains commonly start from emails or QR codes and include CAPTCHAs and multiple redirects to evade AVs and static analysis.
- Traditional IOCs such as IP addresses, TLS fingerprints (JA3S), and SSL certificates are becoming unreliable when traffic terminates at cloud/CDN providers.
- ANY.RUN’s interactive sandboxing and Threat Intelligence Lookup help analysts follow evasive chains, reveal final credential theft pages, and enrich alerts for faster triage.
- Continuous monitoring, up-to-date signatures, and behavioral/interactive analysis are recommended as defenses because static, reputation-based controls are insufficient.
MITRE Techniques
- [T1566 ] Phishing – Use of email links and QR codes to deliver phishing pages and lead victims to attacker infrastructure (‘A typical phishkit attack starts with an email containing a link (including in the form of a QR code) leading to attackers’ infrastructure.’)
- [T1557 ] Adversary-in-the-Middle – Use of AiTM kits and reverse proxies that act as a proxy between victim and legitimate services to intercept credentials (‘AiTM (Adversary-in-the-middle kits). These toolsets help unfold phishing attacks where threat actors become a proxy between the victim and a legitimate service.’)
- [T1090 ] Proxy – Abuse of CDN/reverse-proxy services (Cloudflare, CloudFront, Firebase, Azure Blob) to hide origin servers and complicate blocking/takedowns (‘Cloudflare operates as both a CDN and reverse proxy. The real origin server … gets hidden behind Cloudflare’s IP addresses.’)
Indicators of Compromise
- [Domain ] Phishing pages and storage endpoints – *.blob.core.windows.net (Microsoft Azure Blob Storage), Google Storage/firebase domains (example Google Storage domain hosting Sneaky2FA)
- [ASN / Network ] CDN/ASN indicators – cloudflarenet (Cloudflare ASN) observed in queries like destinationIpAsn:”cloudflarenet”, and various Azure/AWS ASNs used to mask origin servers
- [Phishing Kit Names ] Known kit identifiers used as indicators – Tycoon2FA, Sneaky2FA, EvilProxy (and Cephas referenced)
- [TLS/Certificate ] TLS fingerprints and certificates cited as unreliable IOCs – JA3S fingerprinting and SSL certificates (mentioned as losing value when TLS terminates at Cloudflare)
- [HTTP Requests ] Data exfiltration endpoints and request patterns – POST request transmitting victim’s encrypted password from Azure page to attacker-controlled server (‘POST request used by attackers to steal the password’)
- [Email/Delivery ] Initial lure artifacts – email links and QR codes used to deliver phishing links and redirect victims to cloud-hosted infrastructure
Read more: https://any.run/cybersecurity-blog/cybersecurity-blog/enterprise-phishing-analysis/