Phishing Lure: A financially-themed phishing email was delivered from a compromised third-party account, containing a link to an online spreadsheet platform.
Phishers at Work: Turning Serverless Functions into Phishing Proxies
Financial lure leads to multi-stage AiTM phishing via Cloudflare workers.
What is the attack?
Cloudflare Workers: The final landing page was served via Cloudflare, a serverless platform that runs JavaScript at the edge of Cloudflare’s network adding an additional layer of obfuscation to hide the backend phishing infrastructure.
Why did it get through?
Legitimate Hosting: The initial lure was hosted on Rows.com, a trusted online spreadsheet platform — helping the email bypass link reputation filters.
Cloudflare CAPTCHA: The page behind Rows.com was protected by a Cloudflare Turnstile challenge, blocking automated scanners and increasing the appearance of legitimacy.
workers.dev Redirector: The final phishing page was served through a Cloudflare Workers subdomain (*.workers.dev), acting as a reverse proxy to the attacker’s backend infrastructure, effectively hiding the true origin.
What is required to solve for this attack?
Behavioral Analysis: Abnormal’s Behavioral AI flags never-before-seen senders, unusual email content, and URLs as anomalies that enable the detection of novel attacks.
Defense-in-depth: This pairs well for defense in depth with the Cloud Email Platform (M365’s) Threat Intelligence layer.