A significant portion, 68%, of actively serving phishing kits are being protected by Cloudflare, according to a new security report from SicuraNext. This revelation highlights a concerning trend where sophisticated criminal enterprises are exploiting widely used infrastructure to conduct large-scale phishing operations, posing a substantial threat to individuals and organizations worldwide.
The research identified over 42,000 validated URLs and domains actively engaged in distributing phishing kits, command-and-control (C2) systems, and malicious payload delivery. This marks a fundamental shift from traditional, often haphazard phishing attempts to highly organized, professionally managed criminal operations that mirror the infrastructure and reliability of legitimate technology companies.
SicuraNext’s analysis underscores the operational maturity of these malicious campaigns. The infrastructure supporting these operations exhibits a remarkable 96.16% mean DNS resolution rate, indicating that the compromised domains are consistently stable and well-maintained, making them harder to detect and take down.
MFA Bypass Infrastructure and Defense Evasion
A particularly alarming development highlighted in the report is the proliferation of Phishing-as-a-Service (PhaaS) platforms, such as EvilProxy and Tycoon 2FA. These sophisticated services go beyond simply stealing passwords. Instead, they function as adversary-in-the-middle proxies, inserting themselves between users and legitimate online services.
When a user attempts to authenticate, these kits intercept the credentials, forward them to the actual service, and then capture the resulting session cookie. This intermediary process effectively bypasses multi-factor authentication (MFA) protections, which are a cornerstone of modern cybersecurity defense. The report indicates that these platforms are a key reason for the difficulty in combating advanced phishing campaigns.
These advanced platforms also incorporate a range of evasion technologies designed to thwart security researchers and automated scanning tools. Techniques observed include geofencing, which blocks access based on IP ranges; user-agent-based cloaking, which restricts content visibility to specific device types, often only mobile browsers; and developer tools detection, which disables the phishing page when security researchers attempt to inspect it. Furthermore, Cloudflare CAPTCHAs are frequently employed to filter out automated security scanners, further hindering detection efforts.
The SicuraNext report also identified 20 distinct phishing clusters that share identical infrastructure fingerprints. These consist of rotated IP ranges, identical domain registrars, and consistent evasion patterns. This coordination suggests professionally managed, large-scale operations rather than isolated, opportunistic attacks. The reliance on Cloudflare’s free tier, offering free DDoS protection and proxy services, makes it an attractive, low-cost option for threat actors looking to mask their actual hosting servers.
This concentration of malicious activity on AS13335, Cloudflare’s primary autonomous system number, has effectively made the platform a central hub for phishing operations globally. The sheer volume and sophistication of these operations present a significant challenge to cybersecurity professionals tasked with defending against increasingly advanced threats that leverage legitimate infrastructure.
Moving forward, cybersecurity firms will likely continue to focus on developing more robust methods for identifying and mitigating MFA bypass techniques. The report implies that proactive measures and collaboration between security providers and infrastructure companies like Cloudflare will be crucial in addressing the growing sophistication of phishing operations, particularly those exploiting sophisticated proxy-based attacks.