• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Company · Blog · Newsletter · Events · Partner Program

Downloads      Support      Security     Admin Login
Rublon

Rublon

Secure Remote Access

  • Product
    • Regulatory Compliance
    • Use Cases
    • Rublon Reviews
    • Authentication Basics
    • What is MFA?
    • Importance of MFA
    • User Experience
    • Authentication Methods
    • Rublon Authenticator
    • Remembered Devices
    • Logs
    • Single Sign-On
    • Access Policies
    • Directory Sync
  • Solutions
    • MFA for Remote Desktop
    • MFA for Remote Access Software
    • MFA for Windows Logon
    • MFA for Linux
    • MFA for Active Directory
    • MFA for LDAP
    • MFA for RADIUS
    • MFA for SAML
    • MFA for RemoteApp
    • MFA for Workgroup Accounts
    • MFA for Entra ID
  • Customers
  • Industries
    • Financial Services
    • Investment Funds
    • Retail
    • Technology
    • Healthcare
    • Legal
    • Education
    • Government
  • Pricing
  • Docs
Contact Sales Free Trial

Security Key MFA Stops Phishing Attack on Cloudflare

August 16, 2022 By Rublon Authors

Last updated on February 24, 2023

Malicious actors launched a targeted phishing attack on Cloudflare’s employees. The attackers managed to trick some employees into opening a link to a malicious site and providing their login credentials. Physical Security Key MFA stopped the cyberattack and saved Cloudflare from getting compromised.

How Did The Targeted Phishing Attack on Cloudflare Work?

Cybercriminals gathered a list of phone numbers belonging to Cloudflare employees. It is still unclear how they got these phone numbers. What is known, however, is that hackers sent malicious text messages to at least 76 Cloudflare employees. The text messages contained a link to a domain that looked legitimate but was a phishing site. It had been registered via Porkbun less than 1 hour before the phishing scam started.

Cloudflare uses Okta as its identity provider. Clicking the link inside the phishing text message took employees to a phishing page that looked like a carbon copy of a legitimate Okta login page.

The phishing attack specifically targeted Multi-Factor Authentication based on Time-Based One-Time Passwords (TOTP). The phishing page not only prompted employees for their login and password but also, further, for their TOTP passcodes. The page immediately relayed all information to hackers who then, presumably, would be able to use it on the actual login page of the victim.

Image showing how the hacking of the first factor worked during the Cloudflare attack
Image showing how the hacking of the first factor was supposed to work during the Cloudflare attack

After the user completed both MFA factors, the phishing page was to initiate the download of AnyDesk’s remote access software. That software would allow hackers to control the victim’s machine remotely. No Cloudflare employee got to that final stage.

How Did Security Key MFA Save Cloudflare?

Cloudflare does not use TOTP codes for secondary authentication in MFA. Instead, every employee owns a FIDO2-compliant security key such as YubiKey. These security keys are origin-bound, which makes them resistant to even the most sophisticated targeted phishing attacks.

Cloudflare claims three employees entered their login credentials on the illegitimate phishing site. Mercifully, even though hackers got these employees’ logins and passwords, they could not get past security key-based secondary authentication. The phishing-resistant mechanism of the FIDO U2F security keys thwarted cyberattackers and prevented any damage they could potentially cause to Cloudflare’s systems.

Conclusion

The main takeaway is that FIDO2-compliant security keys cut a targeted phishing attack short by preventing hackers from gaining access to accounts. While Cloudflare’s response to the attack was sophisticated and included blocking the phishing domain and updating attack detections, these measures came later to improve the cyber defenses against future threats. It is the security keys that were the first line of defense and stopped the cybercriminals from accessing accounts.

Cost-Effective Security Key MFA

Rublon provides you with the security you need to fight modern cyber threats.

For just $2 per user per month, you can get sophisticated Multi-Factor Authentication that supports multiple authentication methods, including WebAuthn/U2F Security Keys.

Start a Free 30-Day Rublon Trial

Filed Under: Blog

Try Rublon for Free
Start your 30-day Rublon Trial to secure your employees using multi-factor authentication.
No Credit Card Required


Footer

Product

  • Regulatory Compliance
  • Use Cases
  • Rublon Reviews
  • Authentication Basics
  • What is MFA?
  • Importance of MFA
  • User Experience
  • Authentication Methods
  • Rublon Authenticator
  • Remembered Devices
  • Logs
  • Single Sign-On
  • Access Policies
  • Directory Sync

Solutions

  • MFA for Remote Desktop
  • MFA for Windows Logon
  • MFA for Remote Access Software
  • MFA for Linux
  • MFA for Active Directory
  • MFA for LDAP
  • MFA for RADIUS
  • MFA for SAML
  • MFA for RemoteApp
  • MFA for Workgroup Accounts
  • MFA for Entra ID

Secure Your Entire Infrastructure With Ease!

Experience Rublon MFA
Free for 30 Days!

Free Trial
No Credit Card Required

Need Assistance?

Ready to Buy?

We're Here to Help!

Contact

Industries

  • Financial Services
  • Investment Funds
  • Retail
  • Technology
  • Healthcare
  • Legal
  • Education
  • Government

Documentation

  • 2FA for Windows & RDP
  • 2FA for RDS
  • 2FA for RD Gateway
  • 2FA for RD Web Access
  • 2FA for SSH
  • 2FA for OpenVPN
  • 2FA for SonicWall VPN
  • 2FA for Cisco VPN
  • 2FA for Office 365

Support

  • Knowledge Base
  • FAQ
  • System Status

About

  • About Us
  • Blog
  • Events
  • Co-funded by the European Union
  • Contact Us

  • Facebook
  • GitHub
  • LinkedIn
  • Twitter
  • YouTube

© 2025 Rublon · Imprint · Legal & Privacy · Security

  • English