*.workers.dev and *.pages.dev as benign. This post documents the abuse patterns, the detection signals that cut through the false-positive noise, and the network-policy posture that addresses Cloudflare-fronted threats without breaking your engineering team’s legitimate use.Cloudflare did not create this problem; their accessibility-and-scale dual mandate did. The free tier puts edge compute, DNS, CDN, and tunneling into anyone’s hands in <5 minutes with an email signup. The same product economics that empower legitimate developers empower phishing operators. Detection and policy must adapt, not blame.
The five abuse vectors
1. *.workers.dev phishing kits. Operator deploys a Cloudflare Worker that proxies the legitimate Microsoft 365 / banking login page (AiTM-style) or serves a static credential-harvesting form. Workers are free up to 100K requests/day; phishing campaigns rarely exceed this. URL: microsft-login.{operator-handle}.workers.dev.
2. *.pages.dev hosted phishing sites. Static phishing kits hosted on Cloudflare Pages — Pages is free, 500 builds/month, 100GB bandwidth. URL: secure-bank-login.pages.dev. Used heavily for Outlook and Microsoft 365 phishing in 2024-2025.
3. trycloudflare.com tunnels. Cloudflare’s free tunneling service proxies a local server through Cloudflare’s edge. Operator runs phishing kit on their own VPS, exposes via cloudflared tunnel --url localhost:8080, gets a https://<random>.trycloudflare.com URL. Used to defeat IP-based blocklisting; the kit’s true infrastructure stays hidden behind Cloudflare.
4. R2 storage for credential exfiltration. R2 is Cloudflare’s S3-compatible storage. Phishing kits POST harvested credentials to a worker that writes to R2; operator pulls from R2 weekly. Defenders see traffic to Cloudflare’s R2 endpoint, indistinguishable from legitimate use.
5. Cloudflare DNS proxying for malicious domains. Operator registers secure-bank-india.com, points it to Cloudflare DNS. CF’s free tier provides DDoS protection, TLS, IP masking. Defenders trying to block by origin IP must work through Cloudflare’s abuse process — slower than the campaign lifecycle.
Why URL categorisation fails
Most enterprise URL-filter products (Cisco Umbrella, Forcepoint, Zscaler) rate the parent domain (cloudflare.com, workers.dev, pages.dev) as “Computer/Internet Information.” They do not categorise individual subdomains because:
- Volume — millions of
*.workers.devsubdomains; categorisation infeasible. - Mixed traffic — most are legitimate developer projects; blanket-blocking breaks engineering workflows.
- Reputation drift — a worker URL is benign on Tuesday, weaponised on Thursday; categorisation is stale.
The result: end-users clicking m365-secure.{x}.workers.dev get a “trusted” categorisation and the URL filter waves them through.
Detection signals that work
- Domain age + Cloudflare-only DNS. Combination: domain registered <30 days ago AND only Cloudflare nameservers AND not in your organisational allow-list. High-confidence phishing precursor.
- Form-submission behaviour anomaly. Browser-extension or proxy-based DLP that detects: user types email + password into a form on
*.workers.dev, alert. Catches credential harvesting at the moment it would happen. - JA4 fingerprinting on workers.dev/pages.dev traffic. Modern threat-intel feeds (Cloudflare’s own, Recorded Future, Mandiant) publish JA4 fingerprints associated with known phishing-kit deployments. Match in your network egress.
- Email-link analysis at the gateway. Pre-delivery URL rewriting (Microsoft Defender for Office 365 SafeLinks, Proofpoint URL Defense) follow the link and inspect the destination — a Cloudflare-fronted phishing page renders identically to the real Microsoft login, but post-click telemetry catches credential entry.
- Microsoft Entra sign-in logs for new-IP authentication. AiTM phishing through Cloudflare proxies user sign-in. The user’s session ends up authenticating from a Cloudflare egress IP — Mountain View, San Francisco, etc. If your user base is Indian, sign-in from US Cloudflare egress is anomalous. KQL hunt:
SigninLogs | where TimeGenerated > ago(7d) | extend ip = tostring(IPAddress) | where ip startswith "104.16." or ip startswith "172.64." or ip startswith "162.158." | project TimeGenerated, UserPrincipalName, IPAddress, AppDisplayName, ResultTypeCloudflare’s IPv4 ranges include 104.16.0.0/13, 172.64.0.0/13, 162.158.0.0/15. Sign-ins from these are suspicious if the user has no Cloudflare-resident infrastructure.
- Network egress monitoring for direct R2 / Workers API calls from non-developer endpoints. Finance team workstations have no business calling
r2.cloudflarestorage.com; if they are, investigate.
Policy posture — what to enforce vs. what to monitor
Enforce:
- Block
trycloudflare.comentirely. It is overwhelmingly used by attackers and rarely by legitimate developers in production. The few legitimate use-cases (developer demos) can use a different mechanism. - Block direct connections to
*.r2.cloudflarestorage.comfrom non-developer subnets. Developers should use named CNAMEs not raw R2 endpoints.
Monitor, alert on anomalies:
- Workers.dev / Pages.dev access from finance, HR, executive subnets. Whitelist specific developer subnets that legitimately use these.
- Cloudflare-egress sign-ins in Microsoft Entra ID for users with no expected Cloudflare-region travel.
Don’t blanket-block:
- Cloudflare’s CDN edge IPs — used by hundreds of thousands of legitimate sites including your own.
- Workers.dev / Pages.dev categorically — your own engineering team and many SaaS vendors use these.
Engaging Cloudflare’s abuse process
Cloudflare’s abuse reporting is at cloudflare.com/abuse. Reports for phishing campaigns get acted on within hours-to-days for clear cases. For organisational SOCs, build the workflow:
- Detect Cloudflare-fronted phishing targeting your org.
- Capture screenshot, full HTTP exchange, headers showing Cloudflare provenance.
- Submit to [email protected] with phishing-targeting-our-brand context.
- Cloudflare typically takes down workers/pages within 4-24 hours for clear phishing.
- For domain-on-Cloudflare-DNS phishing, Cloudflare doesn’t host the content but can revoke DNS service — slower but achievable.
The takedown is a defensive move; the next campaign is up within hours. Don’t view as a substitute for monitoring + user education + auth hardening.
FAQ
Should we block all workers.dev URLs corporate-wide?
Generally no — your engineering team likely uses workers.dev for legitimate prototypes and tooling. Selective blocking by user group (block for finance/HR/sales, allow for engineering) is more practical.
How does Cloudflare itself handle this abuse?
They run an active abuse-detection program; they take down clear phishing within hours; they don’t proactively scan every Worker for malicious code (would be infeasible and expensive). Their incentive structure is “respond to reports fast, don’t break legitimate use.” This is reasonable but means the responsibility shifts to defenders.
Are there alternatives — Vercel, Netlify, Render — with the same risks?
Yes. Anywhere with free serverless functions and free static hosting becomes phishing infrastructure. Vercel and Netlify are abused similarly though at lower volume than Cloudflare. The detection and policy posture generalises.
Does Cloudflare WAF catch phishing kits hosted on Workers?
Cloudflare’s WAF inspects traffic toward Cloudflare-protected origins. For Workers, the worker IS the application; there’s no WAF in the user-Worker path. Cloudflare does run heuristics on Worker code at deployment, but bypassed easily.
What about Cloudflare’s enterprise-tier abuse-prevention products?
Cloudflare One / Zero Trust offer URL filtering, browser isolation, and DLP — defensively useful but solve the problem from the customer side, not the Cloudflare-platform side. Worth evaluating; doesn’t address the fundamental asymmetry.
⚖️ Legal: This is defensive content. Reverse-engineering phishing kits hosted on Cloudflare Workers for research is generally lawful when the analysis is on samples you obtained legitimately (your own org’s incident, third-party threat-intel feed). Active probing of suspected phishing infrastructure may run afoul of CFAA / IT Act §66 — use sandboxed analysis on cloned infrastructure.
Get a free attack-surface review
We check what an attacker would see about your business — leaked credentials, exposed services, dark-web mentions. 30 minutes, no obligation.