Phishing campaigns are abusing Cloudflare workers in two ways, where one injects malicious content hidden by HTML smuggling, similar to Azorult malware.  The other uses Cloudflare Workers as a transparent proxy to steal login credentials for services like Microsoft, Gmail, and Yahoo Mail, which target users in Asia, North America, and Southern Europe, particularly in the tech, finance, and banking sectors.  The rise in domains and applications hosting the attacks suggests continuous efforts by attackers to evade detection and takedowns, which highlights the common practice of abusing free cloud services for phishing, and the effectiveness of targeting popular cloud platforms.  Attackers are abusing Cloudflare Workers, a free serverless platform for deploying applications, to host phishing sites, which allows them to create malicious applications with custom domains under the workers.dev subdomain and distribute them freely.  Unique user traffic per quarter While the overall traffic volume seems to have stabilized, the number of distinct malicious applications hosted on Cloudflare Workers continuously grows, indicating a concerning trend of attackers adopting this technique.  Attackers are using HTML smuggling with Cloudflare Workers to bypass network defenses and deliver phishing pages.

Source: GBHackers