A sophisticated Microsoft 365 credential harvesting campaign<\/a> that weaponizes Cloudflare\u2019s own protective features to evade detection and silently steal user login data.<\/p>\n The campaign demonstrates a growing and troubling trend: threat actors turning the very tools designed to defend websites into shields for malicious infrastructure.<\/p>\n Platforms like Cloudflare are widely trusted for their anti-bot protections, content delivery capabilities, and DDoS mitigation. However, these same features, including human verification checks, IP filtering, and user-agent inspection, can inadvertently obstruct security researchers and automated scanning tools from identifying malicious sites in a timely manner. Attackers in this campaign exploited exactly that blind spot.<\/p>\n The campaign uncovered by Domaintools was anchored by the domain securedsnmail[.]com, which served as the initial entry point for victims. Once a user landed on the page, a multi-layered gatekeeping system went to work before any credential theft occurred.<\/p>\n The site\u2019s first line of defense was a Cloudflare human verification (Turnstile) check<\/a>, which immediately filtered out automated crawlers. But the attackers didn\u2019t stop there.<\/p>\n The phishing page also queried the visitor\u2019s IP address via If a visitor\u2019s browser carried a suspicious user-agent string, such as those associated with Googlebot, Bingbot, AhrefsBot, or Twitterbot, the page would dynamically replace itself with a convincing fake \u201c404 Not Found\u201d error, preventing the site from being indexed or flagged by security scanners.<\/p>\n Any visitor who cleared these checks was then funneled through an obfuscated credential harvesting script. The core theft logic was concealed inside a custom virtual machine function ( If the gatekeeping logic detected a security tool mid-session, the VM quietly redirected the destination URL to a legitimate domain, such as Google.com, neutralizing any forensic footprint.<\/p>\n According to the DomainTools report<\/a>, victims who passed all checks were redirected to the actual phishing URL \u2014 formatted as Researchers noted that all phishing sites identified in this campaign shared the same Cloudflare Turnstile sitekey: Because this key is a static identifier tied to a specific Cloudflare dashboard configuration, security teams may be able to pivot on it across platforms like Shodan, Censys,<\/a> and URLScan to proactively discover newly registered phishing infrastructure before it is deployed in active campaigns.<\/p>\n All domains in the campaign were registered through Namecheap, hosted on Cloudflare\u2019s IP infrastructure, and shared nameservers pointing to This campaign underscores the urgent need for service providers like Cloudflare to strengthen their Know Your Customer (KYC) processes and build mechanisms that prevent their defensive features from being weaponized against the broader security community.<\/p>\n As attackers grow more sophisticated in their abuse of legitimate platforms, proactive platform accountability becomes just as critical as endpoint defenses.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Hackers Leveraging Cloudflare Anti-Bot Features to Steal Microsoft 365 Credentials<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg-zJrP8Z3EQbMHkAbDk15gWATM2dh2TlegNECMV_x81RFE9LhXYfzCIXSe0GnZiylOP6Ovy-MnjLkG5dBQDg69u8RwCcwXOSyUWA9_RESRo2NrqjuWmoX0ACX32X1ANs-G7FGCoRU-O0nxKk7jk9XcKmCclzIWCiOAdyqdvndWwbZZ4Do4h5FCr_c-pqAK\/w640-h522\/cloudspoof.webp?ssl=1\")
<\/figure>\n<\/div>\napi.ipify[.]org<\/code> and cross-referenced it against a hardcoded blocklist that included IP ranges belonging to major security vendors such as Palo Alto Networks and FireEye, as well as cloud infrastructure from AWS and Google.<\/p>\ne_d007dc<\/code>) that interpreted an array of encoded instructions, making static code analysis ineffective.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEisyt8vsz5gf3jDCL_UlgnK3tdVHwydk7CgeK1yC0gt40-TGVMszoE1SJybF9MX1FXG8AvOYpoaQQgsHoszkY9skpq1XIkV24zLnrdnyqOOA36gCimmtAMKNYYt8SavXJqVRBlHtNtd1Jw0wIP_FyttrgLJuktjucwb6F4NTDTjjbB4f383u3YAuGWBB1Hd\/s16000\/ed007dc.webp?ssl=1\")
<\/figure>\n<\/div>\nhttps[:]\/\/office.suitetosecured[.]com\/KuPbXodA?b=cGjQKg4&auth={}<\/code> \u2014 which mimicked a Microsoft 365 login page designed to capture credentials in real time.<\/p>\n0x4AAAAAACG6TJhrsuZdpjsN<\/code>.<\/p>\ncloudflare.com<\/code>.<\/p>\nIndicators of Compromise<\/strong><\/h2>\n
\n