All news with #cloudflare tag

🔒 Cloudflare argues that SASE and Zero Trust migrations no longer need to be multi-year projects. Partners such as TachTech and Adapture report compressing deployments from 18 months to as little as four to six weeks by using the Cloudflare One platform. Key accelerators include identity-first on-ramps, a consolidated policy engine for SWG and ZTNA, and cloud-native connectors like cloudflared. The platform's extensibility also supports custom environments and provides AI-focused controls for safer LLM adoption.

🔒 Threat actors are abusing the special-use .arpa reverse DNS namespace and IPv6 reverse zones to evade domain reputation checks and email gateways. By obtaining IPv6 address space and controlling reverse DNS, attackers can create nonstandard records (for example A records under ip6.arpa) that resolve to phishing infrastructure hosted behind reputable providers like Cloudflare or Hurricane Electric. Infoblox observed short-lived, image-linked URLs that redirect through traffic distribution systems to selectively deliver phishing pages and frustrate investigation.

🔒In a coordinated takedown, law enforcement and industry partners dismantled Tycoon 2FA, a commercial phishing-as-a-service platform that automated MFA bypasses via a real-time proxy. The kit, sold for about US $120/month through private Telegram channels, forwarded credentials and one-time codes to legitimate sites to capture authenticated sessions. It was linked to tens of millions of phishing emails and widespread attacks on healthcare and education before seizures and blocks by Microsoft, multi-country law enforcement, and Cloudflare largely disrupted the operation. Users are reminded that not all MFA is equal: hardware security keys or passkeys provide stronger protection against proxying than SMS-based codes.

🔐 Cloudflare One reframes enterprise security around protecting sensitive data across networks, endpoints, SaaS, and AI interfaces. The post introduces new controls — clipboard restrictions for browser-based RDP, operation-level mapping surfaced in logs, on-device Endpoint DLP in the Cloudflare One Client, and Microsoft 365 Copilot scanning via API CASB. Together these features aim to give consistent visibility and enforcement so policy follows data rather than product boundaries.

🔧 The Cloudflare One Client now implements Path MTU Discovery to detect and avoid PMTUD black holes that silently drop large encrypted packets. Using active probes over MASQUE (built on Cloudflare’s QUIC library), the client tests packet sizes end-to-end and dynamically adjusts the virtual interface MTU. This non-disruptive background process preserves sessions across shifting networks — for example, when moving from Wi‑Fi to cellular — preventing stalled uploads, calls, or SSH sessions. The feature is available for Windows, macOS, and Linux.

🔁 Automatic Return Routing (ARR) is a new Cloudflare One feature, released in Closed Beta, that resolves private IP address overlap by tracking flows and returning traffic to the exact tunnel that originated the conversation. Instead of depending on routing-table lookups, ARR uses stateful flow memory to record the originating tunnel and enforce symmetric returns. This approach minimizes the need for VRF or NAT, reducing operational overhead for mergers, extranets, and uniform branch deployments while integrating with Unified Routing and the Apollo userspace hub.

🚀 Cloudflare rebuilt the Cloudflare One Client’s proxy mode to use QUIC streams and HTTP/3 CONNECT, removing the prior L4→L3 translation via smoltcp and deprecating WireGuard for proxy mode. The change keeps traffic at Layer 4, enabling native congestion and flow control, transport tunability, and substantially better throughput and latency in internal tests. Administrators should upgrade to minimum client version 2025.8.779.0 and enable MASQUE local proxy mode to benefit from these gains.

🔒 Microsoft led a court-authorized disruption of Tycoon2FA, a prominent phishing-as-a-service operation, seizing 330 active domains and coordinating infrastructure seizures with Europol and partner law enforcement. Private-sector partners including Cloudflare, Coinbase, Intel471, Proofpoint, the Shadowserver Foundation, SpyCloud and Trend Micro assisted in removing control panels and fraudulent login pages. Microsoft estimates Tycoon2FA accounted for roughly 62% of phishing attempts it blocked by mid-2025 and linked to about 96,000 victims since 2023.

🛡️ Cloudflare announced Attack Signature Detection, a new always-on framework that inspects every proxied request and attaches signature metadata for full visibility without sacrificing protection. The model separates detection from mitigation, populating fields like cf.waf.signature.request.ref, confidence, and categories for use in Security Analytics and the Edge Rules Engine. Detections use the same heuristics as the Managed Ruleset but operate as non-blocking signatures by default, and Full-Transaction Detection — which correlates request and response to reduce false positives and confirm exploits — is under development and available for early interest.

🔒 Cloudflare announced mandatory authentication for the Cloudflare One Client and a new independent multi-factor authentication (MFA) capability to strengthen remote access. When enabled via MDM, the client blocks all Internet traffic until the user authenticates, allowing only the authentication flow and prompting users to sign in. The separate MFA acts as a network-edge, step-up second root of trust, supporting biometrics, WebAuthn/FIDO2 keys, PIV for SSH, and TOTP. Mandatory authentication starts on Windows, and the independent MFA is available in closed beta.

🛡️ Cloudflare announces integration with Nametag to add workforce identity verification to Cloudflare Access, confronting the emerging 'remote IT worker' fraud where organized actors use stolen or deepfaked identities to infiltrate companies. The OIDC-based flow requires a selfie and government ID scan, and Nametag's Deepfake Defense uses cryptography and AI to attest liveness and identity. Verification completes in under 30 seconds and no biometrics are stored. This layer enables identity-based policies before access is granted.

🔐 Cloudflare's new Gateway Authorization Proxy shifts identity from devices to the network, enabling per-user enforcement for unmanaged endpoints and virtual desktops. By using a Cloudflare Access–style login and signed JWT domain cookies, the proxy logs individual users, supports multiple identity providers, and allows instant revocation without installing a client. PAC File Hosting further simplifies deployment with templates and an AI assistant.

🔒 Cloudflare One now integrates continuous User Risk Scores into its ZTNA policies, letting admins factor recent user behaviors into access decisions. The SASE risk engine ingests internal telemetry from Cloudflare Access and Gateway, plus third-party signals via integrations (e.g., CrowdStrike, SentinelOne), and deterministically maps configured behaviors to low/medium/high risk levels. Administrators can apply risk-based selectors in Access policies to restrict, require stronger MFA, or revoke access dynamically, with manual reset and signal-sharing back to IdPs.

⚠️ A new Cloudflare Threat Report warns that widespread access to large language models and AI tools has lowered the barrier to entry for cybercriminals, enabling rapid, scalable attacks. Attackers are using LLMs to craft convincing phishing, generate malware, and map networks in real time, increasing impact and reach. The report highlights AI-generated deepfakes and fraudulent IDs used to bypass hiring filters and embed malicious insiders, with state actors like North Korea exploiting this vector. Cloudflare urges organisations to adopt real-time intelligence and proactive defenses to counter the industrialisation of cyber threats.

🔍 The 2026 Cloudflare Threat Report from Cloudforce One documents a shift from brute-force intrusion toward high-trust exploitation, introducing a new metric: the Measure of Effectiveness (MOE). The report identifies eight trends — including AI-driven attack automation, token theft that neutralizes MFA, weaponized cloud tooling, and record-setting hyper-volumetric DDoS — that favor speed and throughput over sophistication. It urges organizations to adopt autonomous, real-time defenses and previews an upgraded automated threat-events command center to help harden the connective tissue of modern networks.

🛡️ Cloudflare’s Cloudforce One Threat Intelligence Platform is an edge-native TIP that centralizes global telemetry, analyst investigations, and automated defenses. It eliminates bulky ETL and monolithic databases by using a sharded, SQLite-backed Durable Object architecture and running GraphQL in Workers for sub-second, multi-shard queries. The platform enriches SIEM alerts with historical actor context, supports STIX2 exports, and can push instant protections via the Firewall API to close the loop between discovery and defense.

☁️ Cloudflare’s new Cloudy layer uses LLMs to translate complex security telemetry into concise, human-readable guidance inside Cloudflare One. It generates plain-language explanations for Email Security detections and structured Risk + Guidance summaries for CASB findings to help teams act faster. Phishnet reporting will surface real-time Cloudy summaries via Workers AI to reduce SOC noise and guide end users. Microsoft beta starts soon, with wider rollouts and Google Workspace support planned.

🔍 Cloudflare integrated Large Language Models (LLMs) into its email security pipeline to surface previously invisible phishing behaviors and move from reactive to proactive defense. LLMs tag messages with granular categories such as Sales Outreach and PrizeNotification, providing high-fidelity, near-real-time signals for analysts. From those tags Cloudflare curated targeted corpora, extracted sentiment and intent features, and trained specialized classifiers that emit risk scores. Those scores are combined with reputation and link signals to enforce blocking or quarantine, reducing user-reported misses and accelerating updates.

🛡️ Cloudflare CASB now lets administrators remediate risky file-sharing directly from the Cloudflare One dashboard. The new Remediation feature supports one-click removal of public, organization-wide, and external shares in Microsoft 365 and Google Workspace, and can target files that match DLP profiles for sensitive content. Remediation only removes risky sharing settings — it does not delete files or change ownership — and every action is recorded in Admin logs for auditing and SIEM export. The system is built on Cloudflare Workers and Workflows for fast, durable execution at scale.

🔐 Google is developing Merkle Tree Certificates (MTCs) in Chrome to make HTTPS certificates resilient to future quantum attacks while avoiding the bandwidth cost of adding post‑quantum algorithms to traditional X.509 chains. Working with Cloudflare and the PLANTS working group, Chrome proposes a model where a CA signs a single tree head and browsers receive lightweight proofs of inclusion. Google is running a feasibility study (Phase 1), plans to invite compatible Certificate Transparency logs in Q1 2027 (Phase 2), and aims to finalize requirements and launch a Chrome Quantum‑resistant Root Store (CQRS) and MTC-only root program by Q3 2027.