The Unintentional Enabler: How Cloudflare Services are Abused for Credential Theft and Malware Distribution

Key Takeaways

• Threat actors are increasingly abusing Cloudflare Workers and Tunnels to bypass Secure Email Gateways (SEGs) and distribute malware.
• Cloudflare Workers are being exploited to host convincing adversary-in-the-middle (AiTM) phishing pages for credential theft.
• Cloudflare Tunnels (TryCloudflare) are used to host remote WebDAV servers, facilitating the delivery of Remote Access Trojans (RATs).
• Attack chains frequently utilize malicious URL shortcut (.url) files that trigger Windows Script Files (WSF) and batch scripts.
• The use of legitimate Cloudflare infrastructure allows attackers to evade domain reputation filters and network sandboxing.

Affected Systems

• Windows
• Secure Email Gateways (SEGs)

Attack Chain

The attack begins with a finance-themed phishing email containing an embedded link. Clicking the link downloads a malicious URL shortcut file (.url). When the victim opens the shortcut, it connects to a remote WebDAV server hosted via Cloudflare Tunnels (TryCloudflare) to retrieve a Windows Script File (WSF). The WSF then triggers a batch script that downloads a Python installer, ultimately executing Xeno RAT or XWorm RAT to establish remote access.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide specific detection rules, queries, or signatures.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions can effectively monitor the execution of .url files, wscript.exe spawning batch scripts, and the subsequent installation/execution of Python payloads. Network Visibility: Medium — While the network traffic is routed through legitimate Cloudflare IPs (making IP-based blocking difficult), the use of WebDAV protocols and specific URL structures (@SSL/DavWWWRoot) can be monitored. Detection Difficulty: Moderate — Initial delivery evades SEGs due to trusted Cloudflare infrastructure, but the post-exploitation execution chain (URL -> WSF -> Batch -> Python) generates distinct behavioral anomalies on the endpoint.

Required Log Sources

• Process Creation (Event ID 4688)
• Sysmon Event ID 1 (Process Creation)
• Sysmon Event ID 3 (Network Connection)
• Sysmon Event ID 11 (File Create)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for the execution of .url files that initiate outbound network connections to external WebDAV shares, particularly those containing '@SSL/DavWWWRoot' in the path.	Process execution and network connection logs (e.g., Sysmon Event ID 1 and 3).	Execution	Low
Monitor for wscript.exe or cscript.exe executing .wsf files that were recently downloaded or reside in temporary internet directories.	Process creation logs with command-line arguments.	Execution	Medium
Detect cmd.exe executing batch scripts that subsequently spawn Python installers or Python processes in unusual directories.	Process ancestry and creation logs.	Execution	Medium

Control Gaps

• Secure Email Gateways (SEGs)
• Domain Reputation Filters
• Network Sandboxing

Key Behavioral Indicators

• Execution of .url files pointing to external WebDAV shares
• wscript.exe spawning cmd.exe to run batch scripts
• Unexpected Python installations followed by network connections to unknown IPs

False Positive Assessment

• Medium. Blocking all Cloudflare domains (*.workers.dev, *.trycloudflare.com) will cause significant false positives due to widespread legitimate use. Detections must focus on the specific execution chain (e.g., .url to WebDAV) and behavioral anomalies to remain accurate.

Recommendations

Immediate Mitigation

• Block or restrict the execution of .url and .wsf files originating from email attachments or web downloads.
• Investigate any recent alerts involving Xeno RAT or XWorm RAT to identify potential Cloudflare Tunnel abuse.

Infrastructure Hardening

• Restrict outbound WebDAV and SMB connections at the firewall level to prevent unauthorized access to external file shares.
• Implement strict application control to prevent the unauthorized execution of script files (WSF, Batch) and unapproved Python binaries.

User Protection

• Enhance endpoint protection rules to detect and block anomalous process chains, such as wscript.exe launching cmd.exe.

Security Awareness

• Train users to recognize suspicious links and unexpected file downloads, particularly emphasizing the dangers of .url or script files disguised as documents.

MITRE ATT&CK Mapping

• T1566.002 - Phishing: Spearphishing Link
• T1557 - Adversary-in-the-Middle
• T1071.001 - Application Layer Protocol: Web Protocols
• T1204.002 - User Execution: Malicious File
• T1059.005 - Command and Scripting Interpreter: Visual Basic
• T1059.003 - Command and Scripting Interpreter: Windows Command Shell

Additional IOCs

• Domains:
  • *[.]r2[.]dev - Cloudflare R2 developer domain pattern frequently abused for static site hosting of phishing pages.
  • *[.]pages[.]dev - Cloudflare Pages domain pattern frequently abused for hosting malicious web pages.
  • *[.]workers[.]dev - Cloudflare Workers domain pattern abused for AiTM phishing.
  • *[.]trycloudflare[.]com - Cloudflare Tunnels domain pattern abused for obfuscated malware delivery and WebDAV hosting.
• Other:
  • Payment859x4309430.url - Malicious URL shortcut filename downloaded via embedded email link.
  • Payment Receipt Confirmation - Ref #PR-xysnJ5 - Subject line of finance-themed phishing email delivering XWorm RAT.