chat
expand_more

Phishers at Work: Turning Serverless Functions into Phishing Proxies

Financial lure leads to multi-stage AiTM phishing via Cloudflare workers.

NEW Piotr Thumbnail 1x1 Feb 25

What is the attack?

  • Phishing Lure: A financially-themed phishing email was delivered from a compromised third-party account, containing a link to an online spreadsheet platform.

  • Cloudflare Workers: The final landing page was served via Cloudflare, a serverless platform that runs JavaScript at the edge of Cloudflare’s network adding an additional layer of obfuscation to hide the backend phishing infrastructure.

Why did it get through?

  • Legitimate Hosting: The initial lure was hosted on Rows.com, a trusted online spreadsheet platform — helping the email bypass link reputation filters.

  • Cloudflare CAPTCHA: The page behind Rows.com was protected by a Cloudflare Turnstile challenge, blocking automated scanners and increasing the appearance of legitimacy.

  • workers.dev Redirector: The final phishing page was served through a Cloudflare Workers subdomain (*.workers.dev), acting as a reverse proxy to the attacker’s backend infrastructure, effectively hiding the true origin.

What is required to solve for this attack?

  • Behavioral Analysis: Abnormal’s Behavioral AI flags never-before-seen senders, unusual email content, and URLs as anomalies that enable the detection of novel attacks.

  • Defense-in-depth: This pairs well for defense in depth with the Cloud Email Platform (M365’s) Threat Intelligence layer.