Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

A Bucket of Phish: Attackers Shift Tactics with Cloudflare R2 Public Buckets

In our previous blog, we found a lot of phishing and scam URLs abusing Cloudflare services using and domains, respectively. We’re now seeing a lot of phishing emails with URLs abusing another Cloudflare service which is


What is Cloudflare R2?

Cloudflare R2 is a relatively new cloud storage service that allows developers to store large amounts of unstructured data without the costly egress bandwidth fees associated with typical cloud storage services.


Public Buckets on R2

Like in AWS S3 or other cloud storage services, Cloudflare R2 also offers public buckets which is a feature that allows users to expose the contents of their R2 buckets directly to the Internet. By default, buckets are never publicly accessible and will always require explicit user permission to enable them.

These public buckets are now being abused in a variety of phishing attacks and now widely seen in URLs used in phishing emails. The common URL structure is https://pub-{32 Hexadecimal String}


Phishing Emails Using Cloudflare R2 URLs

For the past 60 days, we saw more than 2,000 phishing emails containing phishing URL links abusing service. The subjects of the phishing emails contain alarming or common keywords like statement paid, upgrade mail, purchase order, etc.

This phishing email sample mimics the Adobe Acrobat based on the From header where the email address didn’t come from a legitimate Adobe Acrobat and seems to be auto-generated. It also uses ‘Statement Paid’ in the subject to lure the victim into checking the email:



Figure 1. The email header of the phishing email imitating Adobe Acrobat


Figure 1.2. The phishing email showing an approved payment


The clickable link hxxps://pub-5e34bcda437b499399d6abc116886480[.]r2[.]dev/indexR[.]html in the phishing email leads to a phishing site that imitates Adobe:


Figure 2. Screenshot of the fake Adobe site


Looking deeper into the source-code of the phishing URL, we can see that the credentials of the victim will be posted to another phishing URL using an Ajax code format:


a-bucket-of-phish-Picture4Figure 2.1. The source-code containing another phishing URL with php file


Another phishing email sample we found contains the subject keywords ‘purchase order’ and an image attachment of a fake purchase order:


a-bucket-of-phish-Picture5Figure 3. The email header of the phishing email pretending to be related to a purchase order



Figure 3.1. The email with PNG attachment of the fake purchase order


The actual PNG file attached in the phishing email has a small file size only which makes it hard to zoom in and the list of purchased items is not clear.

There’s also a phishing URL using the domain hxxps://pub-3f02c99abcf44a4b92babb3b3c5356d6[.]r2[.]dev/index[.]html? that leads to a fake Microsoft Excel spreadsheet log-in page.



Figure 4. The phishing site of Microsoft Excel


The source-code of this phishing URL uses an atob method for the base64 encoding of the redirection to the URL where the stolen credentials will be posted.


a-bucket-of-phish-Picture8Figure 4.1. The source-code containing base64 encoded string


Decoding the base64 string leads to a phishing URL abusing the SharePoint site hxxps://regionalmanagers-my[.]sharepoint[.]com/:b:/p/ivan/EVhCMbG-roNHisHIx3fXqXkBATy7wZKPXYQsdKYIS5rgWA?e=1XABKN/ which contains the name of the possible owner of the SharePoint account.


Cloudflare R2 Phishing URLs in VirusTotal

For the past 60 days, we also observed more than 25,000 phishing URLs in our VirusTotal telemetry and these URLs, many of which have multiple vendor detections based on the count under the positives column.



Figure 5. Screenshot of the Cloudflare R2 URLs seen in VirusTotal for the last 60 days


a-bucket-of-phish-Picture10Figure 5.1. Different Cloudflare R2 phishing URLs seen in VirusTotal



Nowadays, cloud storage services are widely used especially for file backups or maintaining a huge database. However, different cloud services are also being abused and we need to be very careful with links seen in emails, specifically the public buckets where the URL domains start with https://pub- and ends with as they are being used in phishing attacks. Being alert and staying updated with security news are the best way to avoid being a victim of phishing attacks and not get caught up with a bucket of phish.

Trustwave MailMarshal has protections for these phishing email campaigns, and via click-time scanning of the URLs.













Latest SpiderLabs Blogs

Search & Spoof: Abuse of Windows Search to Redirect to Malware

Trustwave SpiderLabs has detected a sophisticated malware campaign that leverages the Windows search functionality embedded in HTML code to deploy malware. We found the threat actors utilizing a...

Read More

The Sentinel’s Watch: Building a Security Reporting Framework

Imagine being on shift as the guard of a fortress. Your job is to identify threats as they approach the perimeter. The more methods you have for detecting those threats, the better your chances of...

Read More

Fake Advanced IP Scanner Installer Delivers Dangerous CobaltStrike Backdoor

During a recent client investigation, Trustwave SpiderLabs found a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. Our client had been searching for...

Read More