Cloudflare’s trusted developer platforms, Cloudflare Pages and Cloudflare Workers, have become powerful tools for cybercriminals running large-scale phishing campaigns and sophisticated attacks.
Cybersecurity experts from Fortra report a 198% surge in phishing incidents hosted on Cloudflare Pages over the past year, with the abuse of Cloudflare Workers also rising by 104%.
Projections shared with Winbuzzer suggest that by December 2024, monthly phishing incidents on Pages will surpass 1,600, while Workers-related attacks are expected to reach nearly 6,000. These statistics show how malicious actors are exploiting trusted platforms to scale their operations.
Exploiting a Trusted Ecosystem
Cloudflare’s reputation for reliability and innovation has made it a go-to choice for developers building high-performance applications and websites. However, the same features that make the platforms attractive to legitimate users—such as ease of use, scalability, and security—are now being weaponized by cybercriminals.
These actors leverage Cloudflare Pages and Cloudflare Workers to create phishing sites, automate attacks, and conceal malicious activities.
![Cloudflare Pages Threats 2023 2024](https://winbuzzer.com/wp-content/uploads/2024/12/Cloudflare-Pages-Threats-2023-2024-.jpg)
Zachary Travis, Threat Hunter II at Fortra, described the trend as deeply concerning:
“While an almost 200% increase in attacks being hosted on Cloudflare Pages is eye-opening on its own, the types of threats are what we really want to focus on. These platforms are not only being used to host convincing phishing sites, but also redirect to other malicious sites.
This additional layer of deception is critical to helping criminals evade detection. Additionally, they are being leveraged to host massive corporate email lists, sometimes numbering in the hundreds of thousands, fueling highly targeted phishing and spear phishing campaigns”
By exploiting features like custom domains, automatic HTTPS encryption, and Cloudflare’s global Content Delivery Network (CDN), attackers can create convincing phishing pages that closely mimic trusted platforms such as Microsoft Office 365 and OneDrive. The infrastructure itself enhances these attacks by ensuring fast, secure, and globally accessible sites.
Related: AWS Debuts Incident Response Service Amid Skyrocketing Cyber Threats
Cloudflare Pages: A Double-Edged Sword
Cloudflare Pages is a JAMstack-based web hosting platform that simplifies deploying static websites. Integrated with GitHub and GitLab, it enables automated deployment processes and ensures sites are continuously updated.
They are used for static site generation by pre-rendering web pages and serving them as static HTML files from Cloudflare’s Content Delivery Network (CDN).
Cloudflare’s free hosting and automatic SSL/TLS encryption add an extra layer of convenience for developers, but these same features have been misused to launch phishing campaigns.
Related: AI-Driven Malware: How Fake Apps and CAPTCHAs Target Windows and macOS Users
Attackers take advantage of Pages to host phishing redirects, which disguise malicious links under trusted domains. This tactic often begins with an email containing a link to a seemingly legitimate document.
Clicking on the link redirects victims to a Cloudflare-hosted page, which then leads to a phishing site designed to steal credentials. These campaigns frequently escalate to spear phishing, leveraging corporate email lists stored on Cloudflare Pages.
The seamless integration of Cloudflare Pages with Cloudflare Workers—used for server-side scripting—amplifies its potential for misuse. Workers enable dynamic functionality, which attackers exploit to automate malicious processes or bypass traditional security measures.
Cloudflare Workers: Automation for Attackers
Cloudflare Workers is a serverless computing platform designed to execute code at the edge of Cloudflare’s global network. This reduces latency for legitimate applications by processing data closer to the user.
However, it also provides cybercriminals with a means to automate large-scale attacks such as brute-force login attempts, credential stuffing, and Distributed Denial of Service (DDoS) operations.
![Cloudflare Workers Threats 2023 2024](https://winbuzzer.com/wp-content/uploads/2024/12/Cloudflare-Workers-Threats-2023-2024-.jpg)
Fortra’s report highlights how Workers have been used in phishing campaigns to redirect victims to credential-harvesting sites. In one notable scheme, attackers created a “human verification” page using Workers, which then redirected users to a fake Microsoft Office 365 login page.
The combination of fast execution, global accessibility, and secure HTTPS connections ensures these campaigns remain effective while evading detection for longer periods.
Related: Whatsapp Exploits Lawsuit: Israeli Firm NSO Group Continues Hacking for Pegasus Malware
Cybercrime Use of Cloudflare on The Rise
Fortra’s findings reveal the growing scale and sophistication of cybercriminal activity targeting Cloudflare tools. Phishing campaigns hosted on Cloudflare Pages rose from 460 in 2023 to 1,370 by October 2024. The current monthly average of 137 incidents is projected to exceed 1,600 by year-end, representing a 257% year-over-year increase.
Similarly, abuse of Cloudflare Workers has almost doubled. Cases climbed from 2,447 in 2023 to 4,999 in 2024, with monthly incidents likely to approach 6,000 by December. These numbers underscore how attackers are scaling operations using trusted platforms.
Phishing Redirects and Email List Exploitation
One particularly insidious tactic involves phishing redirects hosted on Cloudflare Pages. These redirects obscure malicious intent by using secure, Cloudflare-hosted URLs that appear trustworthy.
Victims are lured into clicking these links, often under the pretense of downloading important documents like business proposals. In reality, these documents lead to phishing pages designed to steal login credentials or other sensitive information.
Attackers have also begun hosting massive email lists on Cloudflare Pages, sometimes containing hundreds of thousands of addresses. These lists fuel highly targeted spear phishing campaigns, where attackers use personal details to craft convincing messages tailored to specific victims. The level of precision makes such attacks harder to detect and defend against.
Related: Fortinet Expands AI Security Tools Amid Rising Cyber Threats
Mitigating Risks: Developer and User Strategies
While Cloudflare implements security measures such as phishing detection and takedown mechanisms, the sophistication of these attacks often allows them to persist before being identified.
Developers using Cloudflare Pages and Workers must adopt strong security practices, including regularly updating dependencies, enforcing HTTPS, and monitoring their applications for anomalies.
End users, meanwhile, can reduce their exposure to phishing attacks by scrutinizing URLs, avoiding unfamiliar websites, and enabling two-factor authentication (2FA) for their accounts. Verifying the legitimacy of email links before clicking is another critical step in mitigating risk.
Cloudflare’s developer tools are invaluable for legitimate users, offering unmatched scalability and performance. However, their exploitation by cybercriminals highlights the broader challenge of balancing accessibility with security in an increasingly interconnected digital landscape.