sicuranext.com
Claudio Bono
01 Dec 2025
Earlier this year, our CTI team set out to build something we'd been thinking about for a while: a phishing intelligence pipeline that could actually keep up with the threat. We combined feeds from hundreds of independent sources with our own real-time hunt for suspicious SSL/TLS certificates. The goal was simple: get better visibility into what attackers are actually doing, not what they were doing six months ago.
Last quarter's numbers hit harder than we expected: 42,000+ validated URLs and domains, all actively serving phishing kits, command-and-control infrastructure, or payload delivery.
This isn't your grandfather's phishing problem. We're not talking about misspelled PayPal domains and broken English. What we're seeing is organized, efficient, and frankly, impressive in all the wrong ways. This research breaks down the infrastructure, TTPs, and operational patterns behind modern phishing—and what it means for anyone trying to defend against it.
Finding #1: All Roads Lead to Cloudflare
Here's the headline: 68% of all phishing infrastructure we tracked lives on Cloudflare.
Provider Domains % of Total
Cloudflare 17,202 68.0%
GCP 3,414 13.5%
AWS 2,185 8.6%
Azure 1,355 5.4%
This isn't random. Cloudflare's free tier is a gift to threat actors—zero upfront cost, world-class DDoS protection (yes, really), and proxy services that completely mask origin servers. Good luck tracking down the actual host when everything's bouncing through Cloudflare's edge network.
We're seeing thousands malicious domains clustered on AS13335 alone. That's Cloudflare's primary ASN, and it's become the de facto home base for phishing operations worldwide.
The CDN Divide: Two Strategies, One Ecosystem
When we looked at the 12,635 unique IPs hosting these IOCs, a clear pattern emerged. The threat landscape has forked:
51.54% direct hosting – Think disposable infrastructure. Spin it up fast, burn it down faster. Perfect for smishing blasts and hit-and-run campaigns.
48.46% CDN/proxy-protected: The long game. These setups are built to survive, leveraging CDNs (92% Cloudflare, naturally) for origin obfuscation and anti-takedown resilience.
Here's the problem: your IP-based blocking protection? It works on roughly half the threat landscape. The other half just laughs at you from behind Cloudflare's proxy. You need URL filtering, domain heuristics, and TLS fingerprinting now. IP blocks alone are a coin flip.
And before anyone says "these domains must be unstable", we saw a 96.16% mean DNS resolution rate. These operators run infrastructure like a Fortune 500 company. High availability, minimal downtime, proper DevOps hygiene. It's professional-grade crime.
Finding #2: Abusing Trust at Scale
Forget .xyz and .tk domains. Attackers have moved upmarket.
TLD Count Why They Use It
.com 11,324 Universal legitimacy
.dev 7,389 Targets developers
.app 2,992 Mobile/SaaS impersonation
.io 2,425 Tech sector credibility
.cc 1,745 Cheap, minimal oversight
The surge in .dev and .app domains tells you everything. Attackers aren't just going after your CFO anymore: they're targeting developers. Fake GitHub OAuth flows, spoofed Vercel deployment pages, bogus npm package sites. They're hunting credentials from the people who actually understand security, betting (correctly) that a something.dev domain gets less scrutiny than something-phishing.tk.
Free Hosting: The Perfect Cover
Now pair this with free hosting platforms, and you get a disaster: 72% of domains in our dataset used obfuscation via legitimate services.
Vercel: 1,942 domains
GitHub Pages: 1,540 domains
GoDaddy Sites: 734 domains
Webflow: 669 domains
Try explaining to your CISO why you need to block github.io or vercel.app. You can't. Your developers need those. Your business uses those. Attackers know this, and they're weaponizing it. Domain reputation systems collapse when every phishing page sits under a trusted parent domain.
Finding #3: PhaaS and the Industrialization of Crime
We need to stop calling these "phishing kits." That undersells what we're dealing with.
What we're seeing is Phishing-as-a-Service (PhaaS): full-stack criminal SaaS platforms. Services like Caffeine - now offline - and W3LL offer subscription-based access to complete attack infrastructure: hosting, templates, exfiltration pipelines, even customer support. They've turned phishing into a commodity anyone can buy.
The real nightmare feature? MFA bypass. Kits like EvilProxy and Tycoon 2FA don't bother stealing passwords anymore. They operate as adversary-in-the-middle (AitM) proxies, sitting between the victim and the legitimate service. User authenticates, kit intercepts, passes creds through to the real site, then steals the resulting session cookie. No password needed. No MFA challenge. Just instant account access.
These platforms also ship with serious evasion tech:
Geofencing to block security researchers by IP range
User-Agent Based Cloaking that targets devices by browser user agent: often the final landing page is only visible on mobile devices browsers
DevTools detection (open F12, page immediately stop working)
Cloudflare CAPTCHA to filter out automated scanners
Over the past four months, we clustered 20 distinct phishing clusters based on shared infrastructure fingerprints: same rotated IPs, same registrars, identical evasion patterns and obfuscation methods. This isn't a bunch of script kiddies copying code. It's coordinated, engineered operations with centralized data management and exfiltration workflows.
Almost 60% of the observed IOCs are deemed to be linked with PhaaS, this means a global tendency to separate those who produce and manage actual infrastructure from those (often non-technical users) who use it (for a fee), hoping to make a significant profit by reselling stolen data.
Finding #4: Meta in the Crosshairs
If there's one target dominating the landscape, it's Meta. 10,267 mentions: 42% of all brand impersonation we tracked.
Brand Mentions Attack Type
Meta 10,267 Facebook/Instagram/WhatsApp creds
Amazon 2,617 Payment data, account takeover
Netflix 2,450 Subscription scams
PayPal 1,993 Financial fraud, redirects
Stripe 1,571 Merchant account compromise
Why Meta? Three billion users. Multiple attack surfaces. Credential reuse across platforms. It's target-rich and full of high-value accounts. The focus on Stripe and PayPal shows attackers aren't just after creds anymore: they're after money. Direct financial fraud, merchant compromise, payment interception.
What This Means for Defense
The era of "just block the domain" is over. We're up against industrialized, adaptive, professionally-run adversaries. Deterministic detection is dead. You can't regex your way out of this anymore, defenses need to evolve:
CDN-aware detection – IP blocking is 50% effective at best
Behavioral analysis – Focus on session anomalies, not just domains
TLS fingerprinting – Track certificate patterns and issuance velocity
Hunt for PhaaS indicators – Cluster campaigns by shared infrastructure
User education that doesn't suck – Stop educating people talking about domain typosquotting or http vs https concepts: teach people what real-scenario looks like in practice.
This isn't FUD. This is what 42,000 live phishing sites look like when you actually go hunting for them. The threat is real, it's organized, and it's not slowing down.
What Comes Next: Diving Deep into the Criminal Engine
In our next in-depth analysis, we will reveal the real infrastructure that powers this industrialization. We will guide you step by step through a modern and complex PhaaS platform, demonstrating exactly how the TTPs described in this article function in a real operational environment.
bleepingcomputer.com
Microsoft and Cloudflare have disrupted a massive Phishing-as-a-Service (PhaaS) operation, known as RaccoonO365, that helped cybercriminals steal thousands of Microsoft 365 credentials.
In early September 2025, in coordination with Cloudflare's Cloudforce One and Trust and Safety teams, Microsoft's Digital Crimes Unit (DCU) disrupted the cybercrime operation by seizing 338 websites and Worker accounts linked to RaccoonO365.
The cybercrime group behind this service (also tracked by Microsoft as Storm-2246) has stolen at least 5,000 Microsoft credentials from 94 countries since at least July 2024, using RaccoonO365 phishing kits that bundled CAPTCHA pages and anti-bot techniques to appear legitimate and evade analysis.
For instance, a large-scale RaccoonO365 tax-themed phishing campaign targeted over 2,300 organizations in the United States in April 2025, but these phishing kits have also been deployed in attacks against more than 20 U.S. healthcare organizations.
The credentials, cookies, and other data stolen from victims' OneDrive, SharePoint, and email accounts were later employed in financial fraud attempts, extortion attacks, or as initial access to other victims' systems.
"This puts public safety at risk, as RaccoonO365 phishing emails are often a precursor to malware and ransomware, which have severe consequences for hospitals," said Steven Masada, Assistant General Counsel for Microsoft's Digital Crimes Unit.
"In these attacks, patient services are delayed, critical care is postponed or canceled, lab results are compromised, and sensitive data is breached, causing major financial losses and directly impacting patients."
RaccoonO365 has been renting subscription-based phishing kits through a private Telegram channel, which had over 840 members as of August 25, 2025. The prices ranged from $355 for a 30-day plan to $999 for a 90-day subscription, all paid in USDT (TRC20, BEP20, Polygon) or Bitcoin (BTC) cryptocurrency.
Microsoft estimated that the group has received at least $100,000 in cryptocurrency payments so far, suggesting there are approximately 100 to 200 subscriptions; however, the actual number of subscriptions sold is likely much higher.
During its investigation, the Microsoft DCU also found that the leader of RaccoonO365 is Joshua Ogundipe, who lives in Nigeria.
Cloudflare also believes that RaccoonO365 also collaborates with Russian-speaking cybercriminals, given the use of Russian in its Telegram bot's name.
"Based on Microsoft's analysis, Ogundipe has a background in computer programming and is believed to have authored the majority of the code," Masada added.
"An operational security lapse by the threat actors in which they inadvertently revealed a secret cryptocurrency wallet helped the DCU's attribution and understanding of their operations. A criminal referral for Ogundipe has been sent to international law enforcement."
In May, Microsoft also seized 2,300 domains in a coordinated disruption action targeting the Lumma malware-as-a-service (MaaS) information stealer.
bleepingcomputer.com
By Sergiu Gatlan
September 2, 2025
Cloudflare is the latest company impacted in a recent string of Salesloft Drift breaches, part of a supply-chain attack disclosed last week.
The internet giant revealed on Tuesday that the attackers gained access to a Salesforce instance it uses for internal customer case management and customer support, which contained 104 Cloudflare API tokens.
Cloudflare was notified of the breach on August 23, and it alerted impacted customers of the incident on September 2. Before informing customers of the attack, it also rotated all 104 Cloudflare platform-issued tokens exfiltrated during the breach, even though it has yet to discover any suspicious activity linked to these tokens.
"Most of this information is customer contact information and basic support case data, but some customer support interactions may reveal information about a customer's configuration and could contain sensitive information like access tokens," Cloudflare said.
"Given that Salesforce support case data contains the contents of support tickets with Cloudflare, any information that a customer may have shared with Cloudflare in our support system—including logs, tokens or passwords—should be considered compromised, and we strongly urge you to rotate any credentials that you may have shared with us through this channel."
The company's investigation found that the threat actors stole only the text contained within the Salesforce case objects (including customer support tickets and their associated data, but no attachments) between August 12 and August 17, after an initial reconnaissance stage on August 9.
These exfiltrated case objects contained only text-based data, including:
The subject line of the Salesforce case
The body of the case (which may include keys, secrets, etc., if provided by the customer to Cloudflare)
Customer contact information (for example, company name, requester's email address and phone number, company domain name, and company country)
"We believe this incident was not an isolated event but that the threat actor intended to harvest credentials and customer information for future attacks," Cloudflare added.
"Given that hundreds of organizations were affected through this Drift compromise, we suspect the threat actor will use this information to launch targeted attacks against customers across the affected organizations."
Wave of Salesforce data breaches
Since the start of the year, the ShinyHunters extortion group has been targeting Salesforce customers in data theft attacks, using voice phishing (vishing) to trick employees into linking malicious OAuth apps with their company's Salesforce instances. This tactic enabled the attackers to steal databases, which were later used to extort victims.
Since Google first wrote about these attacks in June, numerous data breaches have been linked to ShinyHunters' social engineering tactics, including those targeting Google itself, Cisco, Qantas, Allianz Life, Farmers Insurance, Workday, Adidas, as well as LVMH subsidiaries Louis Vuitton, Dior, and Tiffany & Co.
While some security researchers have told BleepingComputer that the Salesloft supply chain attacks involve the same threat actors, Google has found no conclusive evidence linking them.
Palo Alto Networks also confirmed over the weekend that the threat actors behind the Salesloft Drift breaches stole some support data submitted by customers, including contact info and text comments.
The Palo Alto Networks incident was also limited to its Salesforce CRM and, as the company told BleepingComputer, it did not affect any of its products, systems, or services.
The cybersecurity company observed the attackers searching for secrets, including AWS access keys (AKIA), VPN and SSO login strings, Snowflake tokens, as well as generic keywords such as "secret," "password," or "key," which could be used to breach more cloud platforms to steal data in other extortion attacks.
Attacker rained down the equivalent of 9,300 full-length HD movies in just 45 seconds.
Large-scale attacks designed to bring down Internet services by sending them more traffic than they can process keep getting bigger, with the largest one yet, measured at 7.3 terabits per second, being reported Friday by Internet security and performance provider Cloudflare.
The 7.3Tbps attack amounted to 37.4 terabytes of junk traffic that hit the target in just 45 seconds. That's an almost incomprehensible amount of data, equivalent to more than 9,300 full-length HD movies or 7,500 hours of HD streaming content in well under a minute.
Indiscriminate target bombing
Cloudflare said the attackers “carpet bombed” an average of nearly 22,000 destination ports of a single IP address belonging to the target, identified only as a Cloudflare customer. A total of 34,500 ports were targeted, indicating the thoroughness and well-engineered nature of the attack.
The vast majority of the attack was delivered in the form of User Datagram Protocol packets. Legitimate UDP-based transmissions are used in especially time-sensitive communications, such as those for video playback, gaming applications, and DNS lookups. It speeds up communications by not formally establishing a connection before data is transferred. Unlike the more common Transmission Control Protocol, UDP doesn't wait for a connection between two computers to be established through a handshake and doesn't check whether data is properly received by the other party. Instead, it immediately sends data from one machine to another.
Over the past year, Phishguard observed an increase in phishing campaigns leveraging Scalable Vector Graphics (SVG) files as initial delivery vectors, with attackers favoring this format due to its flexibility and the challenges it presents for static detection.
SVGs are an XML-based format designed for rendering two-dimensional vector graphics. Unlike raster formats like JPEGs or PNGs, which rely on pixel data, SVGs define graphics using vector paths and mathematical equations, making them infinitely scalable without loss of quality. Their markup-based structure also means they can be easily searched, indexed, and compressed, making them a popular choice in modern web applications.
However, the same features that make SVGs attractive to developers also make them a highly flexible - and dangerous - attack vector when abused. Since SVGs are essentially code, they can embed JavaScript and interact with the Document Object Model (DOM). When rendered in a browser, they aren’t just images - they become active content, capable of executing scripts and other manipulative behavior. In other words, SVGs are more than just static images; they are also programmable documents.
The security risk is underestimated, with SVGs frequently misclassified as innocuous image files, similar to PNGs or JPEGs - a misconception that downplays the fact that they can contain scripts and active content. Many security solutions and email filters fail to deeply inspect SVG content beyond basic MIME-type checks (a tool that identifies the type of a file based on its contents), allowing malicious SVG attachments to bypass detection.
We’ve seen a rise in the use of crafted SVG files in phishing campaigns. These attacks typically fall into three categories:
Redirectors - SVGs that embed JavaScript to automatically redirect users to credential harvesting sites when viewed
Self-contained phishing pages - SVGs that contain full phishing pages encoded in Base64, rendering fake login portals entirely client-side
DOM injection & script abuse - SVGs embedded into trusted apps or portals that exploit poor sanitisation and weak Content Security Policies (CSPs), enabling them to run malicious code, hijack inputs, or exfiltrate sensitive data
Given the capabilities highlighted above, attackers can now use SVGs to:
Gain unauthorized access to accounts
Create hidden mail rules
Phish internal contacts
Steal sensitive data
Initiate fraudulent transactions
Maintain long-term access
Our telemetry shows that manufacturing and industrial sectors are taking the brunt of these SVG-based phishing attempts, contributing to over half of all targeting observed. Financial services follow closely behind, likely due to SVG’s ability to easily facilitate the theft of banking credentials and other sensitive data. The pattern is clear: attackers are concentrating on business sectors that handle high volumes of documents or frequently interact with third parties.
KrebsOnSecurity last week was hit by a near record distributed denial-of-service (DDoS) attack that clocked in at more than 6.3 terabits of data per second (a terabit is one trillion bits of data). The brief attack appears to have been…
For reference, the 6.3 Tbps attack last week was ten times the size of the assault launched against this site in 2016 by the Mirai IoT botnet, which held KrebsOnSecurity offline for nearly four days. The 2016 assault was so large that Akamai – which was providing pro-bono DDoS protection for KrebsOnSecurity at the time — asked me to leave their service because the attack was causing problems for their paying customers.
Since the Mirai attack, KrebsOnSecurity.com has been behind the protection of Project Shield, a free DDoS defense service that Google provides to websites offering news, human rights, and election-related content. Google Security Engineer Damian Menscher told KrebsOnSecurity the May 12 attack was the largest Google has ever handled. In terms of sheer size, it is second only to a very similar attack that Cloudflare mitigated and wrote about in April.
After comparing notes with Cloudflare, Menscher said the botnet that launched both attacks bears the fingerprints of Aisuru, a digital siege machine that first surfaced less than a year ago. Menscher said the attack on KrebsOnSecurity lasted less than a minute, hurling large UDP data packets at random ports at a rate of approximately 585 million data packets per second.
“It was the type of attack normally designed to overwhelm network links,” Menscher said, referring to the throughput connections between and among various Internet service providers (ISPs). “For most companies, this size of attack would kill them.”
2024 ended with a bang. Cloudflare mitigated another record-breaking DDoS attack peaking at 5.6 Tbps. Overall, Cloudflare mitigated 21.3 million DDoS attacks in 2024, representing a 53% increase compared to 2023.
Cloudflare's 'pages.dev' and 'workers.dev' domains, used for deploying web pages and facilitating serverless computing, are being increasingly abused by cybercriminals for phishing and other malicious activities.
Web performance and security firm Cloudflare recently mitigated another record-breaking DDoS attack.
According to Matthew Prince, the company’s CEO, the attack peaked at 3.8 terabits per second (Tbps) and 2.14 billion packets per second (Pps). The attack was aimed at an unidentified customer of an unnamed hosting provider that uses Cloudflare services.
On September 3, 2024, the White House published a report on Internet routing security. We’ll talk about what that means and how you can help.
The Internet can feel like magic. When you load a webpage in your browser, many simultaneous requests for data fly back and forth to remote servers. Then, often in less than one second, a website appears. Many people know that DNS is used to look up a hostname, and resolve it to an IP address, but fewer understand how data flows from your home network to the network that controls the IP address of the web server.
Cloudflare's TryCloudflare is being exploited by cybercriminals for malware delivery via phishing emails, reports say.
Tech giant Cloudflare urged customers to remove a popular open source library used to support older browsers after reports emerged this week that the tool is being used to distribute malware.
Netskope Threat Labs is tracking multiple phishing campaigns that abuse Cloudflare Workers. The campaigns are likely the work of different
2024 started with a bang. Cloudflare’s autonomous systems mitigated over 4.5 million DDoS attacks in the first quarter of the year — a 50% increase compared to the previous year.
On Thanksgiving Day, November 23, 2023, Cloudflare detected a threat actor on our self-hosted Atlassian server. Our security team immediately began an investigation, cut off the threat actor’s access, and no Cloudflare customer data or systems were impacted by this event.
Cloudflare is investigating an ongoing outage causing 'We're sorry
As a follow-up to the most recent Okta breach, we are making a HAR file sanitizer available to everyone, not just Cloudflare customers, at no cost.
On Wednesday, October 18, 2023, we discovered attacks on our system that we were able to trace back to Okta. We have verified that no Cloudflare customer information or systems were impacted by this event because of our rapid response.
This post dives into the details of the HTTP/2 protocol, the feature that attackers exploited to generate the massive Rapid Reset attacks, and the mitigation strategies we took to ensure all our customers are protected
Q2 2023 saw an unprecedented escalation in DDoS attack sophistication. Pro-Russian hacktivists REvil, Killnet and Anonymous Sudan joined forces to attack Western sites. Mitel vulnerability exploits surged by a whopping 532%, and attacks on crypto rocketed up by 600%. Read the full story...
