惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
T
Troy Hunt's Blog
Scott Helme
Scott Helme
T
Threat Research - Cisco Blogs
T
Tenable Blog
L
LINUX DO - 热门话题
V
Visual Studio Blog
I
Intezer
Blog — PlanetScale
Blog — PlanetScale
Cisco Talos Blog
Cisco Talos Blog
A
Arctic Wolf
C
Cyber Attacks, Cyber Crime and Cyber Security
F
Fortinet All Blogs
aimingoo的专栏
aimingoo的专栏
Know Your Adversary
Know Your Adversary
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
N
Netflix TechBlog - Medium
SecWiki News
SecWiki News
I
InfoQ
Microsoft Security Blog
Microsoft Security Blog
Project Zero
Project Zero
W
WeLiveSecurity
Microsoft Azure Blog
Microsoft Azure Blog
A
About on SuperTechFans
Recorded Future
Recorded Future
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Vercel News
Vercel News
S
Securelist
Spread Privacy
Spread Privacy
L
LangChain Blog
云风的 BLOG
云风的 BLOG
G
Google Developers Blog
MongoDB | Blog
MongoDB | Blog
Google DeepMind News
Google DeepMind News
Recent Commits to openclaw:main
Recent Commits to openclaw:main
D
Darknet – Hacking Tools, Hacker News & Cyber Security
C
CERT Recently Published Vulnerability Notes
罗磊的独立博客
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
The Last Watchdog
The Last Watchdog
Attack and Defense Labs
Attack and Defense Labs
博客园 - 司徒正美
Help Net Security
Help Net Security
L
Lohrmann on Cybersecurity
人人都是产品经理
人人都是产品经理
Forbes - Security
Forbes - Security
Hacker News - Newest:
Hacker News - Newest: "LLM"
PCI Perspectives
PCI Perspectives
博客园 - 【当耐特】
T
Tor Project blog

DomainTools Investigations

DomainTools Investigations | Threat Intelligence Report: The Pro-Iran Hacktivist Ecosystem 2026 Eighteen Newsletters and a Dozen Roses Threat Intelligence Report: Nation-State Targeting of Water Systems 2024–2026 The APT35 Dump Episode 4: Leaking The Backstage Pass To An Iranian Intelligence Operation Threat Intelligence Report: Russia, Router, DNS, and Messaging-Layer Collection Operations SecuritySnack - Hijacking Corporate Sessions Threat Intelligence Report: ZionSiphon OT Malware First Attempts? Psyops? Both? Threat Intelligence Report: The SDA / Structura / Doppelgänger, Influence Operations, Infrastructure, Reach, and Potential Edge of Seventeen (Newsletters) Cybersecurity Reading List - Week of 2026-06-01 Chinese Malware Delivery Domains Part II: Data Collection Cybersecurity Reading List - Week of 2026-05-04 Sixteen going on Seventeen Newsletters DPRK Contagious Interview: Developer Workflow Compromise The AI Frame Campaign Continues MOIS Linked MOIST GRASSHOPPER / Homeland Justice / KarmaBelow80 / Handala Hackers / Campaigns and Evolution Fifteen (Newsletters) On A Skateboard Handala: MOIS Linked Cyber Influence Ecosystem Threat Intelligence Assessment Cybersecurity Reading List - Week of 2026-04-06 DPRK Malware Modularity: Diversity and Functional Specialization SecuritySnack - OpenAI Anti-Ads Malware Exposure of TLS Private Key for Myclaw 360 in Qihoo 360 “Security Claw” AI Platform Fourteen Newsletters and Fifteen Winters Cybersecurity Reading List - Week of 2026-03-02 Doppelgänger / RRN Disinformation Infrastructure Ecosystem 2026 SecuritySnack - Idolized Crypto Scams Lotus Blossom (G0030) and the Notepad++ Supply-Chain Espionage Campaign Seven Nation Newsletter: I'm goin' to Wichita! Guess who's back, back again? DTI’s back, tell a friend! CTI Grapevine Becomes DomainTools Investigations Thirteen Silver Newsletters Newsletter Number 9, Keep On Movin' Down The Line Eight Days a Newsletter: I lo-o-o-ove research! Newsletter No. 5: A Little Bit of Research in my life… Tenth Newsletter Freeze-Out Newsletter 11 Could Take Forever 1, 2, 3, 4 Tell Me That You Love Newsletters It's 6’n the Mornin’ (and my Newsletter at your door!) DT Investigations - Security Research for the Community March 2025 DTI Newsletter: I Like Newsletters and I Cannot Lie
SecuritySnack - CloudFlare Anti-Security For Phishing
DomainTools · 2026-03-12 · via DomainTools Investigations

Service platforms that provide protection and content delivery, like CloudFlare, have become a go-to for many web service hosts—including some malicious actors. These platforms offer inherent benefits like obfuscation, anti-bot, and anti-scanner tools. While excellent for defending legitimate customers, these very features can inadvertently shield malicious sites from proactive identification by security professionals and automated scanning services. This creates a challenging dynamic in the industry where a service provider's role in protecting its customer base competes with the broader community's need for effective security scanning.

This report details a recent Microsoft 365 credential harvesting campaign that leverages this dynamic to delay detection and risk profiling. The campaign implemented multiple anti-detection techniques including the use of CloudFlare human verification, hardcoded IP block lists, user agent checks, and multiple sites and redirects. This cluster highlights the need for service providers to consider taking on an even greater responsibility in knowing their customers and ensuring their defensive capabilities are not being abused to actively protect malicious actors.

Details

securedsnmail[.]com

https[:]//securedsnmail[.]com/secdex.html

Gatekeeping and redirection paths

The site code contains a few layers of gatekeeping to ensure the visitor is a real target and not a security tool.

CloudFlare Human Verification: There's an initial CloudFlare human verification check and redirection.

Aggressive IP and User-Agent Filtering: The site code fetches details about the visitor's IP using https[:]//api.ipify[.]org/?format=json and checks it against a hardcoded blocklist. This list includes ranges belonging to major security companies (Palo Alto, FireEye) and cloud providers (AWS, Google), as well as search engine crawlers. 

It also sniffs the visitor's browser for bot-like User-Agents. If a security scanner or bot is detected (e.g., Googlebot, Bingbot, AhrefsBot, or Twitterbot), the page replaces itself with a fake "404 Not Found" message to prevent the malicious site from being indexed or flagged.

User Agent Checks:

IP Checks:

The core credential theft logic is not written in standard JavaScript. Instead, it is executed by a custom VM function (e_d007dc) that interprets an array of encoded instructions. This prevents static analysis from identifying the data-stealing parameters or the Command & Control (C2) URLs.

The framework dynamically updates its destination. When the gatekeeping checks flag, it switches the URL in the VM to a legitimate domain like Google.com, neutralizing the malicious footprint for any subsequent analysis.

Obfuscated Credential Harvesting: 

If the user passes these checks, an obfuscated script builds and redirects them to the credential harvesting URL built from an obfuscated script in the following format: `https[:]//office.suitetosecured[.]com/KuPbXodA?b=cGjQKg4&auth={}`, which it then designates an auth value that is presumably used to verify and track the user passing the gatekeeper to the next stage sites.

In reviewing the multiple phishing sites identified in this campaign, a commonality in the Cloudflare turnstile configuration was observed. The Cloudflare Turnstile sitekey (0x4AAAAAACG6TJhrsuZdpjsN) is a static identifier. Specifically, the “CG6TJhrsuZdpjsN” portion appears to be the unique identifier created when a Cloudflare user sets up the Turnstile widget in their CloudFlare dashboard. Security teams could possibly pivot on this key across telemetry sources (e.g. Shodan, Censys, URLScan) to identify newly registered phishing sites before they are utilized in campaigns.

Registration Commonalities

Nameserver: cloudflare.com

Registrar: NAMECHEAP INC

mx host: registrar-servers.com

IP ISP: CloudFlare Inc.

MX Domain:

  • jellyfish[.]systems
  • registrar-servers[.]com

Conclusion

The strategic abuse of legitimate content delivery and security platforms, such as CloudFlare, by malicious actors creates a considerable obstacle to proactive security scanning and detection. The Microsoft 365 credential harvesting campaign described in this report, which also employed multiple anti-detection mechanisms, shows how these defensive features can inadvertently shield malicious sites, delay their detection, and hinder informed risk assessments. To address this evolving dynamic, service providers should accept greater responsibility in knowing their customers and ensuring their platform's security capabilities are not leveraged to actively protect malicious campaigns.

IOCs

securedreach[.]comwirelessmailsent[.]com
suitecorporate[.]comsuitetosecured[.]com