Key Findings

* Attackers are exploiting Cloudflare's human verification system to hide phishing pages

* Custom virtual machine function used to obfuscate malicious code

* Targets Microsoft 365 login credentials

* Employs sophisticated evasion techniques against security scanners

* Uses location-based filtering to block security researchers

Background

Cybercriminals have developed an innovative method of hiding phishing websites by leveraging Cloudflare's Turnstile verification system. This approach allows attackers to create more resilient and difficult-to-detect malicious sites targeting Microsoft 365 users. The technique represents a significant evolution in phishing infrastructure design, turning a security mechanism into a protective shield for malicious activities.

Technical Mechanics

The attack uses a multi-layered approach to avoid detection:

* Implements a Cloudflare Turnstile verification checkpoint

* Checks visitor location using api.ipify.org

* Maintains a blocklist of known security researchers and organizations

* Automatically redirects suspected security scanners to a blank page or legitimate website

* Uses a custom virtual machine function (e_d007dc) to scramble malicious code

Infrastructure Characteristics

* Primarily uses Namecheap for domain registration

* Utilizes mail servers like jellyfish.systems

* Identified static 'sitekey' (0x4AAAAAACG6TJhrsuZdpjsN) across multiple domains

* Targets Microsoft 365 login credentials

Evasion Techniques

The phishing infrastructure includes sophisticated evasion mechanisms:

* Blocks access from known security IP ranges

* Dynamically changes page content based on visitor characteristics

* Uses obfuscated code to bypass standard antivirus detection

* Implements location-based filtering

Mitigation Recommendations

* Verify website URLs carefully before entering credentials

* Use multi-factor authentication

* Be suspicious of sites requiring immediate human verification

* Keep security software updated

* Train users to recognize sophisticated phishing attempts

Potential Impact

* High risk of credential theft

* Potential for widespread Microsoft 365 account compromises

* Advanced social engineering technique

* Demonstrates evolving threat actor capabilities

Sources

• https://hackread.com/hackers-cloudflare-human-check-microsoft-365-phishing/

• https://www.socdefenders.ai/item/457c5f28-a390-426c-9d0d-2cd77841da55

• https://x.com/HackRead/status/2032143425252757920

• https://www.youtube.com/watch?v=AEEdruckH2c

• https://www.reddit.com/r/InfoSecNews/comments/1rrwqp1/hackers_use_cloudflare_human_check_to_hide/