All news with #cloudflare tag

Microsoft and Cloudflare Disrupt RaccoonO365 Phishing

🔒 Microsoft and Cloudflare executed a coordinated takedown of RaccoonO365, a Nigerian-run phishing-as-a-service platform tracked by Microsoft as Storm-2246. The joint effort seized 338 domains and dismantled infrastructure that reportedly generated hundreds of millions of malicious messages and could bypass some MFA protections. Cloudflare removed intermediary Cloudflare Workers shields and deployed phish warning pages, while Microsoft pursued legal action and criminal referrals. The disruption exposed risks to healthcare providers and highlighted cross-border enforcement limits.

RaccoonO365 Phishing Network Disrupted; 338 Domains Seized

🔒 Microsoft and Cloudflare coordinated a court-ordered disruption that seized 338 domains used by RaccoonO365, a phishing-as-a-service accused of harvesting over 5,000 Microsoft 365 credentials across 94 countries since July 2024. The takedown, executed between September 2–8, 2025, removed malicious Workers scripts, placed interstitial phish warnings, and suspended accounts to cut criminal access. RaccoonO365 was marketed by subscription and used legitimate services like Cloudflare Turnstile and Workers to harden phishing pages and evade detection.

Cloudflare integrates CrowdStrike Falcon Fusion SOAR

🔗 Cloudflare announced an integration between the Cloudflare One SASE platform and CrowdStrike Falcon Fusion SOAR, delivering two out‑of‑the‑box connectors for Zero Trust and Email Security. The prebuilt actions exposed in the CrowdStrike Content Library automate common tasks—searching messages, updating allow/block lists, adjusting access policies, and revoking tokens—to reduce manual investigation and accelerate remediation. Customers can chain Cloudflare actions with Falcon Fusion playbooks via a drag‑and‑drop editor to enable bidirectional containment across network, email, and endpoints. The integration supports Logpush to CrowdStrike HTTP ingest and can be enabled from both vendor consoles, with APIs and custom playbooks available for tailoring workflows.

VoidProxy Phishing Framework Bypasses MFA for SSO Logins

🔒 Okta threat researchers have identified a Phishing-as-a-Service called VoidProxy that leverages Adversary-in-the-Middle techniques to capture usernames, passwords, MFA codes and session cookies from Microsoft, Google and several SSO providers. The service uses compromised email service provider accounts, URL shorteners, Cloudflare Workers and disposable domains to evade detection and takedown. Victim credentials and session tokens are proxied to legitimate services, allowing attackers to reuse valid session cookies. Okta warns legacy methods such as SMS and OTP are especially vulnerable to this attack.

Phishing Campaigns Deploy RMM Tools via Multiple Lures

🔒 New phishing campaigns are delivering remote monitoring and management (RMM) software by using multiple realistic lures, security firms warn. Attackers spoof browser updates, meeting software installers, party e-invites and government forms to trick victims into running installers for ITarian (Comodo), Atera, PDQ, SimpleHelp and ScreenConnect. Some campaigns host payloads on trusted services such as Cloudflare R2 and may install multiple RMM tools in quick succession. Analysts caution RMM compromise can lead to ransomware and data theft and recommend endpoint detection, approved-tool enforcement and enhanced network controls such as browser isolation.

Deep Dive: Cloudflare's Sept 12 Dashboard and API Outage

⚠️ A bug in a dashboard React useEffect dependency caused an object to be recreated on every render, triggering repeated calls to the Tenant Service /organizations endpoint. Those excessive requests coincided with a Tenant Service deployment, overwhelming the service and breaking API authorization checks so many API requests returned 5xx errors and the Cloudflare dashboard became unavailable. Cloudflare mitigated the incident by scaling pods, applying a global rate limit, reverting a problematic patch, and applying a dashboard hotfix. They plan to prioritize Argo Rollouts for safer deployments, add randomized retry delays, increase Tenant Service capacity, and improve observability.

VoidProxy PhaaS Uses AitM to Steal Microsoft, Google Logins

🔐 Okta has uncovered VoidProxy, a phishing-as-a-service operation that uses Adversary-in-the-Middle techniques to harvest Microsoft and Google credentials, MFA codes, and session tokens. The platform leverages compromised ESP accounts, URL shorteners, multiple redirects, Cloudflare Captcha and Cloudflare Workers to evade detection and hide infrastructure. Victims who enter credentials are proxied through an AitM server that captures session cookies and MFA responses, enabling account takeover. Okta recommends passkeys, security keys, device management, and session binding to mitigate the threat.

Salty2FA Phishing Framework Evades MFA Using Turnstile

🔒 A newly identified phishing-as-a-service called Salty2FA is being used in campaigns that bypass multi-factor authentication by intercepting verification flows and abusing trusted services like Cloudflare Turnstile. Ontinue researchers report the kit uses subdomain rotation, domain-pairing, geo-blocking and dynamic corporate branding to make credential pages appear legitimate. The framework simulates SMS, authenticator apps, push approvals and even hardware-token prompts, routing victims through Turnstile gates to filter automated analysis before harvesting credentials.

Axios Abuse and Salty 2FA Kits Fuel Direct Send Phishing

🔒 ReliaQuest reports threat actors increasingly abusing the HTTP client Axios alongside Microsoft's Direct Send to create a highly efficient phishing pipeline that intercepts and replays authentication flows. Campaigns beginning in July 2025 targeted executives in finance, healthcare, and manufacturing and expanded to all users, achieving up to a 70% success rate when pairing Axios with Direct Send. Attackers also use PDF lures with malicious QR codes, Google Firebase hosting, and advanced MFA-bypass kits such as Salty2FA to simulate multiple 2FA methods and steal credentials.

Salty2FA Phishing Kit Employs Sophisticated Evasion Tools

⚠️ Researchers have exposed a Salty2FA phishing kit that applies enterprise-grade tactics to harvest credentials and bypass detection. The campaign uses session-based subdomain rotation, abuse of legitimate platforms for staging, and corporate-branded login replicas to increase believability. Operators integrate Cloudflare Turnstile and obfuscated, XOR-encrypted JavaScript to block automated analysis and frustrate forensic inspection. Targets include healthcare, finance, technology, energy and automotive sectors, underscoring the need for updated defenses beyond traditional indicators.

Salty2FA Phishing Kit Undermines Confidence in MFA

🔐 A newly uncovered phishing campaign uses the Salty2FA phishing‑as‑a‑service kit to bypass multi‑factor authentication by intercepting verification methods, rotating unique subdomains and hiding behind Cloudflare Turnstile gates that filter automated analysis. Ontinue found the kit simulates SMS, authenticator apps, push prompts and hardware tokens while dynamically applying corporate branding to match victims' email domains. Industry experts characterize this as a more mature, evasive form of phishing and recommend phishing‑resistant authentication, runtime inspection and continuous user training.

GhostAction GitHub Supply Chain Attack Exposes 3,325 Secrets

🚨 A GitHub supply chain campaign dubbed GhostAction has exposed 3,325 secrets across multiple package ecosystems and repositories. GitGuardian says attackers abused compromised maintainer accounts to insert malicious GitHub Actions workflows that trigger on push or manual dispatch, read repository secrets, and exfiltrate them via HTTP POST to an external domain. Compromised credentials include PyPI, npm, DockerHub, Cloudflare, AWS keys and database credentials; vendors were notified and many repositories reverted the changes.

Running Node.js HTTP Servers on Cloudflare Workers Globally

🚀 Cloudflare has added support for the node:http client and server APIs in Workers, enabling developers to deploy existing Node.js HTTP applications at the edge with minimal code changes. This change makes frameworks like Express and Koa runnable on Workers with zero cold starts, automatic scaling, and reduced latency for global users. The client APIs are implemented on top of Workers' native fetch(), and server integration uses an internal bridge that registers listen(port) rather than binding TCP sockets. Some Node-specific features remain limited or unsupported (the Agent is effectively a no-op; trailers, early hints, 1xx responses, and TLS-specific options are not available).

CRM Supply-Chain Breach via Salesloft Drift Impacts Vendors

🔒 Palo Alto Networks, Zscaler and Cloudflare disclosed a supply-chain breach traced to the Salesloft Drift integration with Salesforce. The compromise exposed business contact information, account/contact/case/opportunity records and, in some instances, OAuth tokens and plaintext support-case content; attachments and files were reportedly not affected. Palo Alto's Unit 42 observed active searches of exfiltrated data and deletion of queries consistent with anti-forensics. Vendors are advising immediate token revocation, credential rotation and comprehensive review of Salesforce logs and SOQL query history.

Cloudflare AI Week 2025: Product, Security, and Tools

🔒 Cloudflare framed AI Week 2025 around products and controls to help organizations adopt AI while retaining safety and visibility. The company emphasized four core priorities: securing AI environments and workflows; protecting original content from misuse; enabling developers to build secure AI experiences; and applying AI to improve Cloudflare’s services. Key launches included AI Gateway, Infire, AI Crawl Control, expanded CASB scanning, and MCP Server Portals, with a continued focus on customer feedback and ongoing investment.

Cloudflare, Palo Alto Hit by Salesloft Drift Breach

🔒 Cloudflare and Palo Alto Networks disclosed that threat actors accessed their Salesforce tenants via the third‑party Salesloft Drift app after compromising OAuth tokens. Cloudflare reported reconnaissance on 9 August 2025 and said data was exfiltrated from Salesforce case objects between 12–17 August 2025. The exposed fields principally contained support case text and business contact information; Cloudflare identified 104 API tokens and has rotated them, urging customers to rotate any credentials shared in cases. Google’s Threat Intelligence Group links the activity to UNC6395 and warns harvested data may be used for targeted follow‑on attacks.

Cloudflare Mitigates Record 11.5 Tbps UDP Flood Attack

🛡️ Cloudflare said it automatically mitigated a record-setting volumetric DDoS attack that peaked at 11.5 Tbps and reached 5.1 billion packets per second; the UDP flood lasted roughly 35 seconds and reportedly originated largely from Google Cloud. The company reported it has autonomously blocked hundreds of hyper‑volumetric L3/4 attacks in recent weeks, underscoring a sharp surge in such events. Security researchers warn these massive traffic floods can be used as a smoke screen for follow-on targeted exploits.

Supply-chain Breach Impacts Palo Alto, Zscaler, Cloudflare

🔒 Three major vendors—Palo Alto Networks, Zscaler, and Cloudflare disclosed a supply‑chain breach tied to the Salesloft Drift Salesforce integration that exposed OAuth tokens and customer CRM data. The incident reportedly involved mass exfiltration from Account, Contact, Case and Opportunity records and included business contact data and some plaintext case notes. Vendors recommend rotating credentials, revoking unused OAuth tokens, auditing Salesforce Event Monitoring and reviewing SOQL query logs and connected-app activity for signs of abuse.

Cloudflare Hit by Data Breach in Salesloft Drift Attack

🔒 Cloudflare disclosed attackers accessed a Salesforce instance used for internal customer case management in a broader Salesloft Drift supply‑chain breach, exposing 104 Cloudflare API tokens and the text contents of support case objects. Cloudflare was notified on August 23, rotated all exfiltrated platform-issued tokens, and began notifying impacted customers on September 2. The company said only text fields were stolen — subject lines, case bodies and contact details — but warned customers that any credentials shared via support tickets should be considered compromised and rotated immediately.

Cloudflare Blocks Record 11.5 Tbps UDP Flood DDoS Attack

🛡️ Cloudflare says it blocked the largest recorded volumetric DDoS attack, peaking at 11.5 Tbps. The UDP flood, which Cloudflare attributes mainly to traffic originating from Google Cloud, lasted roughly 35 seconds and was part of a broader surge of hyper‑volumetric events. The mitigation highlights Cloudflare's automated scaling and defensive capabilities against short, extremely high‑bandwidth assaults.