Hackers Use Cloudflare Human Check to Hide Microsoft 365 Phishing Pages

Cloudflare’s Turnstile was designed to differentiate humans from automated bots, reducing spam and abuse on legitimate sites. Threat actors have now repurposed this mechanism as a cloaking layer, allowing phishing pages to appear only after a visitor passes the human check. By gating access, the malicious pages stay invisible to crawlers and security tools that typically flag suspicious URLs, creating a blind spot in conventional web‑filtering solutions. This tactic underscores how security‑as‑a‑service offerings can be subverted when attackers understand their operational logic.

The campaign targets Microsoft 365 credentials, a high‑value asset for enterprises. After the Turnstile challenge, the site queries the visitor’s IP via api.ipify.org and cross‑references a curated blocklist of security vendors and known bots. If a match is found, the page instantly swaps to a benign 404 response, while legitimate users see a convincing login form. Behind the scenes, a custom virtual‑machine function named e_d007dc executes obfuscated instructions, bypassing signature‑based detection. A static sitekey discovered across multiple domains provides a forensic breadcrumb, enabling investigators to map the threat actor’s infrastructure, which often leverages Namecheap registration and low‑profile mail servers.

For security teams, the emergence of verification‑based cloaking demands a shift toward behavior‑centric monitoring. Deploying threat‑intelligence feeds that flag Turnstile‑protected domains, inspecting DNS and TLS traffic for anomalous redirects, and employing sandboxed browsers to trigger human challenges can surface hidden payloads. Additionally, educating users to verify URLs before entering credentials remains essential. As more protective services become attack vectors, a layered defense strategy that combines endpoint telemetry, network analytics, and continuous threat hunting will be critical to mitigate this evolving phishing threat.