Last updated on February 24, 2023
Malicious actors launched a targeted phishing attack on Cloudflare’s employees. The attackers managed to trick some employees into opening a link to a malicious site and providing their login credentials. Physical Security Key MFA stopped the cyberattack and saved Cloudflare from getting compromised.
How Did The Targeted Phishing Attack on Cloudflare Work?
Cybercriminals gathered a list of phone numbers belonging to Cloudflare employees. It is still unclear how they got these phone numbers. What is known, however, is that hackers sent malicious text messages to at least 76 Cloudflare employees. The text messages contained a link to a domain that looked legitimate but was a phishing site. It had been registered via Porkbun less than 1 hour before the phishing scam started.
Cloudflare uses Okta as its identity provider. Clicking the link inside the phishing text message took employees to a phishing page that looked like a carbon copy of a legitimate Okta login page.
The phishing attack specifically targeted Multi-Factor Authentication based on Time-Based One-Time Passwords (TOTP). The phishing page not only prompted employees for their login and password but also, further, for their TOTP passcodes. The page immediately relayed all information to hackers who then, presumably, would be able to use it on the actual login page of the victim.


After the user completed both MFA factors, the phishing page was to initiate the download of AnyDesk’s remote access software. That software would allow hackers to control the victim’s machine remotely. No Cloudflare employee got to that final stage.
How Did Security Key MFA Save Cloudflare?
Cloudflare does not use TOTP codes for secondary authentication in MFA. Instead, every employee owns a FIDO2-compliant security key such as YubiKey. These security keys are origin-bound, which makes them resistant to even the most sophisticated targeted phishing attacks.
Cloudflare claims three employees entered their login credentials on the illegitimate phishing site. Mercifully, even though hackers got these employees’ logins and passwords, they could not get past security key-based secondary authentication. The phishing-resistant mechanism of the FIDO U2F security keys thwarted cyberattackers and prevented any damage they could potentially cause to Cloudflare’s systems.
Conclusion
The main takeaway is that FIDO2-compliant security keys cut a targeted phishing attack short by preventing hackers from gaining access to accounts. While Cloudflare’s response to the attack was sophisticated and included blocking the phishing domain and updating attack detections, these measures came later to improve the cyber defenses against future threats. It is the security keys that were the first line of defense and stopped the cybercriminals from accessing accounts.
Cost-Effective Security Key MFA
Rublon provides you with the security you need to fight modern cyber threats.
For just $2 per user per month, you can get sophisticated Multi-Factor Authentication that supports multiple authentication methods, including WebAuthn/U2F Security Keys.