• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

My TechDecisions

  • Best of Tech Decisions
  • Topics
    • Video
    • Audio
    • Mobility
    • Unified Communications
    • IT Infrastructure
    • Network Security
    • Physical Security
    • Facility
    • Compliance
  • RFP Resources
  • Resources
  • Podcasts
  • Project of the Week
  • About Us
    SEARCH
IT Infrastructure, Network Security, News

How One Large Tech Company Thwarted a Highly Sophisticated Phishing Attack

Cloudflare says a reliance on physical security keys, robust cybersecurity tools and awareness helped stop a sophisticated phishing attack.

August 11, 2022 Zachary Comeau Leave a Comment

Cloudflare Phishing
stock.adobe.com/anatolir

Phishing attacks are becoming all too common, and they are becoming increasingly sophisticated, leveraging text messages to trick employees not clicking links. However, the use of multi-factor security keys, robust security practices and a strong culture of security can help thwart them, as evidenced by a recent attack against Cloudflare.

The web performance and security provider, in a recent blog, says it was the target of a sophisticated phishing attack in which over 100 employees got text messages on their work and personal phones, with some messages also being sent to employees’ family members.

It’s unclear how attackers assembled the list of employee phone numbers, but the company says it stopped the attack thanks to its use of its Cloudflare One products and physical security keys that are required by employees to access applications.

In a blog, the company says the attack appears similar to one that led to the compromise of some Twilio employee accounts. The attack included messages to employee phones that purported to be from its IT department asking employees to log in to a fake URL, using words like Twilio, Okta and SSO to try and trick users into clicking the link.

Calling the attack highly sophisticated, Cloudlfare says this would result in a security breach at most organizations.

Similar to Twilio, Cloudflare employees began receiving legitimate-looking texts pointing to what looked like a Cloudflare Okta login page. Over the course of a minute, at least 76 employees got similar messages on their work and personal phones.

They came from four phone numbers associated with T-Mobile-issued SIM cards: (754) 268-9387, (205) 946-7573, (754) 364-6683 and (561) 524-5989. They pointed to an official-looking domain: cloudflare-okta.com. That domain had been registered via Porkbun, a domain registrar, at 2022-07-20 22:13:04 UTC — less than 40 minutes before the phishing campaign began.

Since Cloudlfare uses Okta as its identity provider, the phishing page seemed legitimate, as it was designed to look identical to a legitimate Okta login page.

When credentials were entered on the phishing page, they were related to attackers via Telegram. Simultaneously, the phishing page would prompt for a Time-based One Time Password (TOTP) code.

Presumably, the attacker would receive the credentials in real-time, enter them in a victim company’s actual login page, and, for many organizations that would generate a code sent to the employee via SMS or displayed on a password generator. The employee would then enter the TOTP code on the phishing site, and it too would be relayed to the attacker. The attacker could then, before the TOTP code expired, use it to access the company’s actual login page — defeating most two-factor authentication implementations.

The company says three employees fell for the phishing message and entered credentials, but since the company uses FIDO2-compliant security keys and not TOTP codes, attackers could not get past the hard key requirement.

The phishing page was not only after credentials and TOTP codes, but would also initiate the download of a payload that included AnyDesk remote access software. That would have allowed an attacker to control a victim’s machine remotely, but the attackers never got to that step in the Cloudflare case, the company says, adding that endpoint security software would have stopped the installation anyway.

Cloudflare says it is took five main actions, including blocking the phishing domain using Cloudflare Gateway, resetting compromised credentials,  shutting down the attacker’s infrastructure, updating detections to identify further attacks and auditing service access logs.

The company says the attack reinforced the importance of using security keys to prevent phishing attacks, using security tools (Cloudflare’s own technology) and having a “paranoid but blame-free culture.”

If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!

Tagged With: Cloudflare, phishing

Related Content:

  • Cloud, SASE, Aryaka How the Cloud is Redefining Media Production and…
  • Singlewire Software mass notification interview Singlewire Software on Mass Notification Solutions
  • URI catchbox 1 Catchbox Plus: The Mic Solution That Finally Gave…
  • Engaging virtual meeting with diverse participants discussing creative ideas in a bright office space during daylight hours Diversified Survey: Workplace AV Tech is Falling Short,…

Free downloadable guide you may like:

  • Practical Design Guide for Office SpacesPractical Design Guide for Office Spaces

    Recent Gartner research shows that workers prefer to return to the office for in-person meetings for relevant milestones, as well as for face-to-face time with co-workers. When designing the office spaces — and meeting spaces in particular — enabling that connection between co-workers is crucial. But introducing the right collaboration technology in meeting spaces can […]

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Latest Downloads

Practical Design Guide for Office Spaces
Practical Design Guide for Office Spaces

Recent Gartner research shows that workers prefer to return to the office for in-person meetings for relevant milestones, as well as for face-to-fa...

New Camera Can Transform Your Live Production Workflow
New Camera System Can Transform Your Live Production Workflow

Sony's HXC-FZ90 studio camera system combines flexibility and exceptional image quality with entry-level pricing.

Creating Great User Experience and Ultimate Flexibility with Clickshare

Working and collaborating in any office environment today should be meaningful, as workers today go to office for very specific reasons. When desig...

View All Downloads

Would you like your latest project featured on TechDecisions as Project of the Week?

Apply Today!

More from Our Sister Publications

Get the latest news about AV integrators and Security installers from our sister publications:

Commercial IntegratorSecurity Sales

AV-iQ

Footer

TechDecisions

  • Home
  • Welcome to TechDecisions
  • Contact Us
  • Comment Guidelines
  • RSS Feeds
  • Twitter
  • Facebook
  • Linkedin

Free Technology Guides

FREE Downloadable resources from TechDecisions provide timely insight into the issues that IT, A/V, and Security end-users, managers, and decision makers are facing in commercial, corporate, education, institutional, and other vertical markets

View all Guides
TD Project of the Week

Get your latest project featured on TechDecisions Project of the Week. Submit your work once and it will be eligible for all upcoming weeks.

Enter Today!
Emerald Logo
ABOUTCAREERSAUTHORIZED SERVICE PROVIDERSYour Privacy ChoicesTERMS OF USEPRIVACY POLICY

© 2025 Emerald X, LLC. All rights reserved.