Threat Research

Evasive Phishing Campaign Steals Cloud Credentials Using Cloudflare R2 and Turnstile

Securonix

A Netskope Threat Labs report tracks a 61-fold rise (Feb–Jul 2023) in traffic to Cloudflare R2-hosted phishing pages targeting Microsoft credentials, with some pages aimed at other cloud apps like Adobe and Dropbox. The attackers evade detection by using Cloudflare Turnstile for CAPTCHA-based blocking and by serving the malicious content only when referred from specific sites; they also abuse bot-detection and URL-based conditions to avoid scanners. #CloudflareR2 #Turnstile

Keypoints

  • 61-fold increase in phishing-page traffic hosted on Cloudflare R2 observed Feb–Jul 2023, primarily targeting Microsoft credentials.
  • Phishing pages are hosted on Cloudflare R2, leveraging free subdomains and unique bucket URLs for distribution.
  • Turnstile CAPTCHA is manipulated to appear legitimate and to hide the phishing page from automated scanners.
  • Phishing content often loads only when triggered by a malicious referring site or URL parameter, complicating detection and blocking.
  • Fingerprint BotD is used to detect bots; when detected, the site returns custom errors to deter automated access.
  • IOCs include numerous pub-*.r2.dev URLs; recommendations emphasize URL inspection and RBI for higher-risk sites.

MITRE Techniques

  • [T1566] Phishing – The phishing campaigns target Microsoft credentials via hosted pages on Cloudflare R2. “The majority of the phishing campaigns target Microsoft login credentials.” and “These phishing campaigns abuse the free hosting service Cloudflare R2 to distribute static phishing pages.”
  • [T1556.001] Credentials in Web Form – Malicious pages collect Microsoft login credentials through fake login forms. “The majority of the phishing campaigns target Microsoft login credentials”
  • [T1036] Masquerading – Attackers render and modify the Turnstile CAPTCHA page to appear legitimate, e.g., “modify the CAPTCHA page to appear as if it were actually requested by the service users were about to log on to.”
  • [T1562.001] Impair Defenses – Turnstile is used to hide the phishing page from security scanners; “to hide the actual phishing page from security scanners.”
  • [T1583] Acquire Infrastructure – Cloudflare R2 is used as hosting for malicious content; “Cloudflare R2 is a fairly new cloud storage service … abused by attackers to host malicious content.”
  • [T1059.008] Botnet Evasion (Defenses Evasion) – Fingerprint BotD is used to detect bots and return error messages when a bot is detected. “The phishing site also uses the free and open-source bot detection library Fingerprint BotD to identify phishing pages crawled by bot.”

Indicators of Compromise

  • [URL] context – https://pub-de2f439c6744426586c7612824c1bac2.r2[.]dev/index.html?pu=https://pub-7e0ea6c6ac8c439a840ed31912409dc9.r2[.]dev/index.html, and hxxps://pub-de2f439c6744426586c7612824c1bac2.r2[.]dev/index.html?pu=hxxps://pub-7e0ea6c6ac8c439a840ed31912409dc9.r2[.]dev/index.html
  • [URL] context – hxxp://pub-1f6ee74386dc4dc98c226f8a56f8e8c1.r2[.]dev/office.html
  • [URL] context – hxxp://pub-e4b5beda27a847fc9ff07bdb23b36563.r2[.]dev/Dropbox-Business.html

Read more: https://www.netskope.com/blog/evasive-phishing-campaign-steals-cloud-credentials-using-cloudflare-r2-and-turnstile