Threat Posts

Cloudflare R2, Public Buckets and a Phishing Binge: An Analysis of Today’s Threat Landscape

Erin Kuffel
March 18, 2024

Key Findings:

  1. Threat actors are using public Cloudflare R2 buckets to host phishing pages.
  2. 66% of malicious webpages analyzed are Microsoft-related phishing pages.
  3. 17% were for other webmail logins.
  4. Majority of buckets researched were identified as final redirects from other domains.

Overview

Keep Aware’s Threat Research team identified and analyzed 5,014 unique malicious webpages hosted on public Cloudflare R2 buckets. In this article, the team reports findings from and recommendations based on the recent research.

What are Cloudflare R2 Buckets?

R2 buckets are Cloudflare’s storage service, which allows users to expose their buckets’ content to the internet. Buckets and their content, by default, are private and thus require a user to explicitly allow it to be publicly accessible. To make it public, a bucket can be configured to be hosted on either a custom domain or on a Cloudflare-managed subdomain, under the domain https://r2.dev

A Rise of R2 for Phishing

Throughout the months preceding this article, multiple reports had disclosed an increase in Cloudflare R2 buckets used for phishing purposes. In this Trustwave Spiderlabs report from late last year, the security company reported an uptick in phishing emails using links to public R2 subdomains. Keep Aware’s browser security platform has also observed phishing attempts using public Cloudflare R2 buckets; these attempts were primarily phishing for Microsoft credentials. 

The R2 subdomains abused for malicious purposes have been observed and reported as most commonly beginning with “pub-”, followed by a hexadecimal string (primarily 32 characters long), as shown below.

https://pub-{hexadecimal string}.r2.devText. Format of Cloudflare R2 subdomains that have been observed and reported as being abused to host malicious webpages.

Though not all content hosted on public R2 buckets are malicious, Keep Aware’s Threat Research team set out to identify common themes of malintent content and investigated over 5,000 unique malicious webpages. The remainder of this article focuses on findings exclusively from the Cloudflare-hosted subdomains described above.

66%, Microsoft Phishing

Overwhelmingly, the most common observed theme was Microsoft phishing, accounting for approximately 66% of the over 5,000 malicious R2 webpages analyzed. These phishing pages include those that resemble Microsoft’s standard login page and login pages for Microsoft’s Outlook Web App.

Table. Screenshots of various Outlook Web App and Microsoft login phishing pages hosted on public Cloudflare R2 subdomains.

17%, Other Mail Logins

As the second most common observed theme, logins to other web mail services accounted for roughly 17% of malicious public R2 bucket URLs researched.

Table. Screenshots of other web mail phishing pages hosted on public Cloudflare R2 buckets.

Redirects to R2s

The extensive majority – 4,590, to be exact – of the subdomains investigated were actually found to be the final destinations of redirects originating from other domains. Put another way: other domains redirect to these malicious R2 webpages.

Video. An example of a URL redirecting to a phishing page hosted publicly on an R2 subdomain.

Why is this finding important? Despite the general advice in recent security articles to avoid clicking links in emails that lead directly to r2.dev URLs, Keep Aware's research emphasizes the critical importance of being cautious with any unfamiliar or unexpected link. 

Conclusion, Recommendations

Late last year, email security vendors reported an uptick in phishing emails using links to public Cloudflare R2 subdomains (.r2.dev), particularly those starting with “https://pub-”. In recent research, Keep Aware’s findings indicate that an overwhelming majority of these URLs are final redirects from other domains and are primarily used to host Microsoft and Outlook Web App phishing pages.

One of many in a long list of hosting platforms being abused by threat actors to steal victim’s credentials, public Cloudflare R2 buckets are no exception. Read more from Keep Aware’s threat research articles that reveal how attackers are abusing other platforms, including Canva designs and Microsoft Dynamics 365 marketing forms.

In the meantime, protect your organization from these types of attacks by ensuring that your employees continue to avoid and report unfamiliar links and by confirming that your technical controls have the visibility and maturity to discern known and emerging browsing threats. 

- - 

To understand how visibility and integration into browsers is an often-overlooked but highly effective means to fortify both your human and technical defenses, talk to Keep Aware’s security team today.

Share
Ready to see Keep Aware in action?
Schedule a personalized demo today and see how Keep Aware can protect your organization's biggest workplace.