Multi-Stage Cloudflare Workers Phishing Uses Compromised Account and Legitimate Platforms
Attack Overview
Step 1: Compromised Third-Party Account Sends Financial Email
The attacker uses a compromised third-party account to send a financially-themed phishing email to targets.
- Email originates from a known third-party contact, appearing legitimate to recipients.
- Message contains financial-related content designed to entice collaboration on a document.
- Email includes a referral name and email address to add perceived legitimacy.
Step 2: Legitimate Platform Hosts Initial Redirect
The email contains a link directing targets to a trusted online spreadsheet platform that serves as the first stage of redirection.
- Link points to Rows[.]com, a legitimate online spreadsheet platform with clean reputation.
- Platform hosting helps the email bypass link reputation filters due to trusted domain status.
- Page displays collaboration invitation message with additional document link.
Step 3: Multi-Layer Infrastructure Conceals Final Phishing Site
The attack uses Cloudflare infrastructure to add layers of obfuscation before delivering the final credential phishing page.
- Cloudflare Turnstile protects the intermediate page, blocking automated scanners and enhancing legitimacy.
- Final phishing page is served through a Cloudflare Workers subdomain (*.workers[.]dev).
- Workers subdomain acts as reverse proxy to hide the attacker's backend phishing infrastructure.
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for several reasons, including:
- Initial link points to Rows[.]com, a trusted online spreadsheet platform that passes link reputation filters.
- Cloudflare Turnstile blocks automated security scanners while increasing perceived legitimacy.
- Cloudflare Workers subdomain serves as reverse proxy, effectively hiding the true origin of the phishing infrastructure.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including:
- Behavioral AI flagging never-before-seen senders and unusual email content patterns as anomalies.
- Analysis of message patterns, redirect behavior, and content tone to identify credential phishing attempts.
- Detection capabilities designed to work in defense-in-depth approach with Microsoft 365's Threat Intelligence layer.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.