Monitoring of traffic to phishing pages hosted on the free hosting service Cloudflare R2 show an unheard of spike of 6100%, many going undetected by many security solutions due to the evasive techniques used.
I can’t remember a time when I’ve covered a story and the reported increases were as large as the recent spike in malicious network traffic observed by Netskope. According to their analysis, Microsoft login credentials were the primary target, but Adobe, Dropbox and other cloud apps were also targets of this ambitious phishing campaign.
A few things make this set of attacks interesting. First there’s the 61x spike in traffic; this means there are a ton of campaigns executing against “everyone, everywhere, all at once.” Secondly, there’s the evasion techniques used – and there are a few noteworthy ones:
- Use of CAPTCHA to keep security solutions from parsing the malicious impersonated login pages
- Only loading the pages' malicious content if the session was passed by another malicious content site
- Bot detection to obfuscate the true malicious intent of each site should a bot crawl the site
Netskope didn’t provide estimates on how many phishing attacks this spike in traffic represents, but a jump of this magnitude mandates being aware of how threat actors are leveraging free cloud services to their advantage.
And because the phishing attacks still offer telltale signs that they are bogus (the use of the Cloudflare URL structure https://pub-<32_alphanumeric_string>.r2.dev/webpage.htm, for example), user that have enrolled in Security Awareness Training are likely to spot these “login” pages for the dastardly logon capturing tools they actually are – before typing in their credentials.
