Cloudflare

Security Brief
Threats against people, apps, and infrastructure
Table of contents
Table of contents

3 Executive summary 10 API exposure

4 Key findings 11 LLM risks
5 DDoS attacks 12 Zero Trust adoption
8 Vulnerability exploitation 13 Recommendations
9 Phishing threats 21 Appendix

Cloudflare Security Brief 2

Executive summary
Table of contents

From Q2 2023 – Q1 2024, Cloudflare observed threat activity

moving bigger and faster. This included record-breaking DDoS
attacks, vulnerability weaponization just 22 minutes after a
proof-of-concept was published, and hundreds of millions of
phishing attacks.
Threat actors weren’t the only ones to evolve; organizations changed too.
Increased investments in cloud, applications, and, especially, artificial intelligence
(AI) fundamentally changed how organizations need to think about defining and
defending their attack surface. Maintaining security in turbulent times will require
both knowledge and action.
The Cloudflare Security Brief, created by observations, experience, and data from
Cloudflare’s global cloud network, provides security leaders with insights into threats
including DDoS attacks, vulnerability exploitation, and phishing. It also spotlights
emerging risks that security leaders need to prepare for: APIs and AI. Lastly, this Methodology
brief examines how organizations are implementing Zero Trust to keep their people,
applications, and infrastructure safe.
Operating one of the largest global cloud networks
across 310 cities, Cloudflare protects approximately
Security leaders can use the insights and recommendations provided to prioritize 20% of the web. This unique vantage point across
their efforts on effective controls that ensure resiliency in the coming years. the Internet provides extensive visibility into threat
activity, enabling Cloudflare to stop an average of
182 billion cyber threats each day.
The findings in this brief are primarily based on
aggregated traffic patterns observed across
Cloudflare’s global network between April 1, 2023
and March 31, 2024.
Cloudflare Security Brief 3
Key findings
Table of contents

DDoS attacks grew in size Organizations must prepare Phishing attacks show no
and complexity for rapid weaponization signs of slowing down
In 2023 Cloudflare detected multiple Cloudflare observed attempted After nearly 30 years of attacks, phishing
record-breaking DDoS campaigns, with exploitation of a new vulnerability just remains a top threat. 48% of phishing
hyper-volumetric attacks peaking at 201 22 minutes after a proof-of-concept was attacks try to get users to click on a
million requests per second. published.1 deceptive link.2

Organizations have
larger API attack surfaces Generative AI investments VPN replacement is frequent
than they think create new attack targets in Zero Trust adoption
APIs are a prime target for attackers Custom large language models (LLMs) 75% of cyber security & IT professionals
targeting data. Cloudflare found 33% more are a veritable goldmine for attackers. implementing Zero Trust report that they
API endpoints through machine learning Organizations that invest in LLMs must have replaced or plan to move away from
than what customers self-reported, on understand the three types of LLMs and VPNs for all employees.4
median.3 the risks they create.

Cloudflare Security Brief 4

 Table of contents
DDoS attacks

DDoS grew in size and complexity

Distributed denial of service (DDoS) attacks are evolving. No longer a low-level HTTP/2 vulnerabilities continue to be discovered, such as the April 2024 discovery
annoyance, Cloudflare observes DDoS used as a tool for external threat actors of CONTINUATION Flood, which has the potential to crash a web server with a
to interfere with government functions and business continuity. For example, single TCP connection. Cloudflare expects that threat actors will continue to exploit
in November 2023, OpenAI’s ChatGPT faced outages due to DDoS attacks, vulnerabilities in Internet protocols to scale DDoS attacks and wreak havoc.
impacting millions of users.5
DDoS remains a top attack method for threat actors, and in 2023 those attacks
reached new heights. In Q3 2023, Cloudflare discovered a persistent and
Largest HTTP DDoS attacks
deliberately engineered campaign of thousands of hyper-volumetric DDoS attacks.
Our systems detected and mitigated the largest attack we’ve ever seen — 201
2019 3M rps
million requests per second (rps) — which was almost eight times larger than our
previous record in 2022 of 26 million rps.
The attacks exploited a vulnerability in HTTP/2 protocol called Rapid Reset 2020 8M rps
which leverages HTTP/2’s stream cancellation feature by sending a request
and immediately canceling it over and over. It is likely that the threat actors

Year
2021 17M rps
deliberately tested the exploit against Cloudflare’s network because of its size –
very few organizations can absorb DDoS attacks at this scale.
One crucial thing to note is that this technique dispels the myth that a large 2022 26M rps
number of bots are necessary to participate in an attack. It used a modestly-sized
botnet, consisting of roughly 20,000 hosts. Cloudflare regularly detects botnets 201M rps
2023
that are orders of magnitude larger than this.

0M rps 50M rps 100M rps 150M rps 200M rps 250M rps

Million Requests Per Second

Cloudflare Security Brief 5

 Table of contents
DDoS attacks

Most attacked industries

Segmenting application-layer DDoS attacks by industry, we see the five most targeted
industries were gaming/gambling, IT/Internet, cryptocurrency, computer software, and
marketing/advertising. Gaming/gambling frequently tops our list for most attacked industry
due people seeking to gain a competitive advantage in gaming.
However, DDoS attacks are widespread – these are not the only industries that should
prioritize mitigations. Normalizing DDoS attacks by an industry’s total volume of traffic
allows us to identify which industries have outsized targeting relative to their smaller size.
Biotechnology, transportation, cryptocurrency, events service, and chemicals are the most
attacked industries relative to their total traffic volume.

Application-layer DDoS attacks by top industries Application-layer DDoS attacks by top industries
Divided by volume of worldwide DDoS traffic Divided by traffic of each industry

1 Gaming and Gambling 6 Telecommunications 1 Biotechnology 6 Accounting

2 IT and Internet 7 Retail 2 Transportation 7 Wholesale
3 Cryptocurrency 8 Adult entertainment
3 Cryptocurrency 8 Farming
4 Computer software Banking, Financial
9 4 Events services 9 Gaming and Gambling
services, and Insurance
Marketing and
5
Advertising 10 Manufacturing 5 Chemicals 10 Environmental Services

Cloudflare Security Brief 6

 Table of contents
DDoS attacks

Most attacked industries by region

Asia
Europe
NAMER
Gaming and
Gaming and Middle East
Gambling
Gambling
Marketing and
Advertising
IT and Internet
Africa

LATAM IT and Internet

Oceania
Farming

Telecom

Cloudflare Security Brief 7

 Table of contents
Vulnerability exploitation

Threat actors exploit vulnerabilities faster

than organizations can patch them
Thanks to advancements in cloud and AI, organizations build code faster than ever. Meanwhile, vulnerabilities are discovered at an overwhelming pace. There were more
Unfortunately, Cloudflare also sees threat actors weaponizing vulnerabilities at than 5000 critical vulnerabilities disclosed in 20236, yet the mean time to remediate
breakneck speed. a critical severity web application vulnerability is 35 days.7 Organizations can’t keep
up pace with patching. Combine that with the fact that there were nearly 100 zero-
Take CVE-2024-27198, a vulnerability that allows for a complete compromise of day vulnerabilities in 2023, up 50% from 2022,8 and it’s no surprise that vulnerability
a vulnerable TeamCity server, including unauthenticated remote code execution. management is such a struggle for many organizations.
Cloudflare observed attempted exploitation just 22 minutes after proof-of-concept
code was published. What does this add up to? An overwhelming number of emergency response moments
for organizations when new zero-days and critical vulnerabilities are disclosed.

CVE-2024-27198 Vulnerability Timeline | March 4th

14:00 UTC 19:23 UTC

Jetbrains releases Rapid7 shares a blog,

Teamcities including proof-of-
2023.11.4 update concept exploitation

Stopping zero-days before day zero

14:59 UTC 19:45 UTC
It’s not all bad news. Advances in machine learning
Jetbrains publicly Cloudflare are providing critical capabilities to zero-day
discloses CVE- observes attempted prevention. Using machine learning, it is possible to
2024-27198 exploitation stop previously unknown zero-day attacks from the
very moment they’re first attempted, as Cloudflare
displayed when blocking the Ivanti Connect Secure
VPN vulnerability.

Cloudflare Security Brief 8

 Table of contents
Phishing threats

Phishing attacks show no signs of

slowing down Top threat categories in malicious emails

Deceptive Link
Phishing is an attempt to get a user to take an action such as downloading
malware, clicking links to harvest credentials, or transferring money. Phishing Domain Age

has plagued organizations for decades and shows no signs of slowing down. In Extortion
fact, 9 out of 10 successful cyber attacks start with phishing. Identity Deception

Over a 12-month period, Cloudflare processed more than 15 billion emails, Credential Harvester
providing visibility into popular phishing tactics and trends. Brand Impersonation

Threat
ASN Reputation
Deceptive links were the #1 phishing tactic, included in 48% of all malicious
emails. Links remain popular because of the various ways in which links can be Attachment
masked to retain authenticity, including link shorteners for deferred attacks or Account Compromise
QR codes that pivot users to a less secure mobile experience. Scam

Business email compromise (BEC) represents a much smaller percentage of BEC

phishing volume at 1%, but its financial impact cannot be ignored. In 2023, the Voice Phishing
Federal Bureau of Investigations (FBI) reported BEC losses of more than $50
billion in a 1 year period. 0.0% 10.0% 20.0% 30.0% 40.0% 50.0%
Percentage of all malicious emails

Detailed descriptions of the above-noted categories can be found in the Appendix.

AI-driven phishing attacks

9 out of 10 Recently, AI has been much hyped as an offensive boon to increase personalization and
speed in phishing emails. While Cloudflare’s email security analysts observed an increase
in LLM-written phishing emails, AI’s impact on successful phishing attempts against
successful cyber attacks enterprises is relatively minimal.
start with phishing
Advancements in machine learning and artificial intelligence help defenders too. Employing
a range of analytic techniques across technical email structure, text sentiment, and historic
communication patterns can reliably stop LLM-generated phishing attacks.

Cloudflare Security Brief 9

 Table of contents
API exposure

The growing risks and rewards of APIs

APIs help organizations integrate and operate their Unfortunately, many organizations lack accurate API
environments to fuel competitive advantages — with greater inventories. Cloudflare found 33% more API endpoints
business intelligence, swifter cloud deployments, and more. through machine learning-based discovery, compared to
And they’re heavily used: today, APIs outpace other Internet what organizations self-reported.
traffic, comprising more than half (58%) of the dynamic
APIs that have not been managed or secured by the
Internet traffic processed by Cloudflare last year.9
organization using it — also known as ‘Shadow’ APIs, are
However, as the API economy grows, so do the problems often introduced by developers or individual users to run
of loss of control and complexity with API development, specific business functions.
management, and security.
While they are not inherently malicious, shadow APIs are
APIs are increasingly complex to manage and protect unprotected attack surfaces that introduce new risks.
against abuse. Unprotected APIs can lead to data exposure,
Organizations cannot properly defend what they cannot see.
unpatched vulnerabilities, data compliance violations, lateral
And those that implement API security without an accurate
movement, and other threats.
picture of their API landscape can also unintentionally block
APIs are also a cornerstone of AI implementations, as legitimate traffic
the primary mechanism for interacting with generative AI
models. Protecting AI models will require a strong handle
on the existence, permissions, and usage of APIs across an
organization.

Cloudflare found
33% more API endpoints
than what organizations self-reported

Cloudflare Security Brief 10

 Table of contents
LLM risks

The security implications of LLM adoption

Organizations are investing heavily in generative AI, with high expectations that
it will drive revenue and increase efficiency. IDC forecasts spending on GenAI Understanding AI Risk
solutions will reach $143 billion in 2027.10
The 3 types of LLMs
But investments in LLMs are creating highly attractive targets for threat actors.
Internal LLMs are likely to have wide-ranging access to sensitive information
and intellectual property, and, since the models run on high-powered machines,
financially motivated actors may target them for their computing power.
Internal LLMs
This isn’t hypothetical – we’ve already seen attacks on LLMs. Oligo discovered Custom models trained on internal data to assist employees and boost productivity.
active exploitation of a widely used open-source AI framework that granted
threat actors access to production AI workloads (meaning they could steal or Example: an AI co-pilot trained on sales data and customer interactions used to
even tamper with models and data sets).11 The actors stole production database generate tailored proposals.
credentials, data, passwords, and cloud access privileges, and even installed Key risk: access to sensitive data and intellectual property
crypto mining malware.
The level of risk exposure AI creates for an organization will vary depending
on how it is used, but now is the time for every security organization to be
assessing LLM risk.
Product LLMs
Part of a product or service offered to customers.
Example: a customer support chatbot built to interact with company resources
Key risk: reputational risk

Public LLMs
LLM accessed outside the boundaries of a corporation, often for free.
Examples: GPT from OpenAI or Claude from Anthropic.
Key risk: sensitive data leakage

Cloudflare Security Brief 11

 Table of contents
Zero Trust adoption

Increased network attacks demonstrate

need for Zero Trust
In 2023 there was a significant uptick in attacks and zero-days against network and Moving from VPNs to ZTNA
security products such as VPNs, firewalls, and load balancers. The trend continues
in 2024, with critical zero-days for Ivanti’s Connect Secure VPN as well as Palo Alto With VPN in particular being all-too-frequently compromised, organizations are
Networks’ firewall-based GlobalProtect VPN product. increasingly evaluating alternate remote access options. 98% said that remote access
solutions that directly connect users to applications (rather than the broader network)
Supply chain attacks against enterprise public-facing infrastructure are moving from likely were important. And 75% of cyber security & IT professionals currently using ZTNA
to inevitable. A Zero Trust approach to security is increasingly essential to reduce the report that they have replaced or plan to move away from VPNs for all employees.
exploitable attack surface and add defense-in-depth.
One barrier to adopting ZTNA tools is installation of an endpoint agent. Installation
ESG asked 200 cyber security and IT professionals currently adopting Zero Trust about can be time-consuming and costly, hindering an organization’s ability to quickly and
their adoption path.4 The two highest ranked use cases for initial implementation were successfully deploy ZTNA.
enforcing Zero Trust application access (ZTAA) policies for SaaS applications and
deploying Zero Trust Network Access (ZTNA) for private applications. 85% of cyber security & IT professionals agreed that agentless ZTNA tools simplified the
deployment process, reducing the administrative burden and potential points of failure
Enterprise resource planning (ERP) and communication and collaboration tools were the associated with agent-based solutions.
two highest ranked applications that organizations have secured or intend to secure in
the initial deployment of their Zero Trust journey.

75% of cyber security

& IT professionals
have replaced or plan to move away
from VPNs for all employees

Cloudflare Security Brief 12

 Table of contents

Recommendations

Cloudflare Security Brief 13

 Table of contents
Recommendations

Implement modern DDoS

1 mitigation best practices

Best practice Action

Deploy threat intelligence and in-line, Manual scrubbing centers do not scale with modern, high-volume attacks. Use multiple detection techniques to optimize
automated DDoS mitigation solutions security posture:
1. Dynamic stateless fingerprinting
2. Machine learning-based classification
3. Anomalous traffic detection
4. Traffic profiling and stateful mitigation
5. Threat intelligence on current DDoS activity and trends

Build a disaster recovery scenario for a Start by identifying critical infrastructure vulnerable to DDoS attacks and the impact of their downtime. Be sure to include
continuous, long-lasting DDoS attack commonly forgotten, but still vital aspects of network stacks, such as DNS servers and VPN endpoints.

Update network, DNS and application Ensure your DDoS mitigation capacity is large enough to handle twice the largest attacks on record and twice the max rates of
infrastructure to be more resilient for your legitimate traffic. Ensure your security vendor can mitigate the latest network and application layer protocol vulnerabilities.
your traffic profile Offload DNS traffic to compliant and secured cloud platforms with traffic routed through edge networks closest to the user.

Improve network and application Leverage a digital waiting room to ensure real users and visitors are gracefully informed of the waiting period without
performance to avoid bottlenecks overwhelming application servers. Optimize caching, manage loads better with a content delivery network (CDN) and cloud
based loading balancing solutions.

Use a positive security model: Ensure Keep business critical protocols, IPs, ASNs, ports and user-agents open to clean traffic. Use schema validation and an API
that desired traffic gets in reliably gateway for API traffic.

Cloudflare Security Brief 14

 Table of contents
Recommendations

Adopt a multi-pronged approach

2 to vulnerability response

Patching is often the best method to mitigate vulnerability risk, but it can’t be the
only method. Organizations must develop strategies to address both the window
of exposure before a patch becomes available, as well as the time it takes to fully
vet and deploy a patch into production systems.
The best place to start is attack surface reduction. Ensuring assets are
properly protected, with network segmentation using Zero Trust principles, can
dramatically reduce what threat actors can discover and compromise.
A web application firewall (WAF) that stops threats based on up-to-date threat
intelligence is essential for protecting Internet-facing assets that can’t live behind
the network firewall. And in the case of major vulnerabilities with no patch or
patching resources, creating (or using vendor-provided) rules to stop targeted
exploitation is an effective mitigation until a patch can be applied.
Finally, given limited resources, and thousands of vulnerabilities disclosed each
month, organizations must prioritize patching based on active exploitation. There
are over 20,000 vulnerabilities disclosed each year, but most are never exploited.
Focusing on known exploitation is the best way to quickly reduce the risk of
compromise. A good start point is CISA’s Known Exploited Vulnerabilities Catalog.

Cloudflare Security Brief 15

 Table of contents
Recommendations

Assess and apply phishing controls

3 that span all exposed user channels

Organizations cannot not rely solely upon security functions implemented

within a cloud security provider. As the recent investigation by the DHS
discovered, nation states are actively looking to disrupt security operations at
major cloud providers such as Microsoft. Instead, organizations should identify
a complimentary phishing solution to their email provider that protects against User targeted Capabilities deployed Breach prevented
attacks beyond the inbox and implement a set of controls that are capable of
addressing every point of exposure for users.
Email Message
phishing analysis w/
Malicious Open link or link isolation Email
1. Start by assessing your current level of phishing risk within email to identify message Channel apps
attachments protected
gaps in your existing defenses.
2. Implement email security capabilities that employ AI/ML-driven message SMS MFA
phishing required
Enter one time
analysis while providing pre- and post-delivery protection for continuous Malicious
passcodes
hard key Channel Self-hosted
apps
text protected
coverage. These capabilities should be paired with a low-touch approach
for handling malicious links, even those hidden in QR codes or activated
post-delivery. Cloud API-based
collaboration security
Malicious Permit Oauth findings Remediation
SaaS
3. Extend your phishing protection and provide another layer of defense by phishing cloud app tokens
guide steps
apps
deploying ZTNA-enabled hard keys to prevent unauthorized access in the
event that credentials are compromised. Web/social Control
phishing web-based
4. Layer on capabilities that can help identify unauthorized applications that Fraudulent Enter user actions Channel Internet
site linkage credentials protected apps
can act as a front door for attackers.
5. Complete your phishing solution by adopting technology that can isolate
and control user actions on web-based apps to prevent malware and
credential theft.

Cloudflare Security Brief 16

 Table of contents
Recommendations

Measure and improve API

4 maturity level over time

The most comprehensive approach for protecting APIs is Phase API visibility
to implement a holistic web application and API protection
(WAAP) platform. However, an organization that is just Companies must first track and formally manage all their API endpoints, including any shadow APIs. However,
when they do find APIs, it is difficult to accurately build a unique schema for each of potentially hundreds of
beginning to acknowledge their API exposure may not find API endpoints. With an API visibility service, organizations can both automatically discover API endpoints and
this feasible overnight. Progress needs to start somewhere. identify who owns that API and how that API should be used.
Cloudflare recommends implementing API protection in
three phases. Phase General web attack protection
Web applications and APIs often work together (for example, an ecommerce website using an API to process
payments). However, the global nature of the Internet exposes websites and other applications to attacks from
many locations, at various levels of scale and complexity. The following are ‘table stakes’ services to directly
protect web applications and the APIs behind them from DoS and DDoS attacks, credential stuffing, zero-day
vulnerabilities, and other threat types:

• DDoS mitigation services sit between a server and the public Internet to prevent surges of malicious traffic
from overwhelming the server

• A Web Application Firewall (WAF) filters out traffic known (or suspected) to be taking advantage of web
application vulnerabilities

• Encryption certification management helps manage key elements of the SSL/TLS encryption process

• Rate limiting protects endpoints from DoS attacks, brute-force login attempts, and other API traffic surges —
without penalizing legitimate users.

Phase API-specific attack protection

Tools like WAFs and DDoS are critical for web security and the (human) app user’s experience, but these
services were designed to protect applications — not APIs specifically. As an organization exposes more
services via APIs, they should augment web app security with specific API security measures.

Advanced API security, using unsupervised machine learning, is capable of developing separate baselines for
each API, and predicting the intent of API requests (whether legitimate or malicious) as they are made.

Cloudflare Security Brief 17

 Table of contents
Recommendations

Get involved in LLM

5 projects early

It is critical that the security team understand the various risks

associated with LLM usage and development, and then work to
Top 10 vulnerabilities for Large Language Models
be actively involved in any LLM deployments.
An internal LLM breach could be disastrous for an organization,
and unmitigated access to public LLMs opens potential for Model denial of Prompt Injection Sensitive Supply Chain Insecure Plugin
sensitive data leakage, which is why organizations like Samsung Service Information Vulnerabilities Design
Manipulation of
have banned employee access after they discovered sensitive Disclosure
Excessive model through Vulnerable Plugins can be
code had been leaked. resource-heavy crafty inputs to Sensitive data component insecure inputs
requests leads influence decision being exfiltrated embedded in the and insufficient
A good place to start is the OWASP Top 10 for LLMs. to service from the model model access control
Organizations should determine which vulnerabilities contribute degradation and
the most risk to their organization’s planned AI projects and then costs
begin to prioritize protection measures. Protections can range
in type and scope from data loss protection to implementing a
dedicated firewall for AI.
Overreliance is a key vulnerability to watch for, especially as it Insecure Output Model Theft Excess Agency Training Data Overreliance
relates to developers using LLMs. AI-generated code still needs to Handling
Exfiltration of Models can
Poisoning
Excessive trust
be validated by humans first, and should be run through the same Output accepted proprietary LLM perform actions LLM training data on the output of
quality and security testing processes as human-generated code. without validation. model due to excessive is tampered bias LLM leading to
XSS, CSRF, SSRF permissions and vulnerabilities misformation
are introduced

Cloudflare Security Brief 18

 Table of contents
Recommendations

Define a roadmap to adopt

6 Zero Trust

Time and time again have proven that perimeter-based security models do not work Speed of implementation — contractors, in particular, have limited remote
for the modern threat landscape. Increasingly, organizations are turning towards Zero access needs that can often be fulfilled without installing end-user software, which
Trust security best practices. The premise of never trust, always verify, is simple, and can simplify a project rollout and provide a “quick win” for strengthening security
the benefits are clear — improved security outcomes, reduced breach costs, higher
operational efficiency, and improved user experience — but successfully deploying Zero
Trust is much easier said than done.
Flexibility and openness to change — for example, the security team
might be the best first customer if a pilot project can be tightly scoped and done in
Typically, Zero Trust adoption is broken out into several phases. Implementations tandem with existing infrastructure
consistently start with a smaller use case or targeted set of users, prove out the value,
and then expand from there. The plan will invariably evolve along the implementation Users/roles/apps that are at greater risk for attacks — developers
path, but having a plan is essential to success. who have access to valuable intellectual property, security/risk professionals,
executives may be prime targets, or sensitive internal apps housing customer or
There is no perfect answer for how to choose a starting point, but frequently-cited
financial data
internal decision factors include:

Employee experience feedback — consider end-user complaints to

determine which internal workflows could benefit the most from efforts to improve
business productivity

Existing contract timing/logistics — upcoming contract renewals for

current point solutions could steer your focus toward a relevant use case to address,
and help create goal timelines for legacy solution augmentation or replacement

Cloudflare Security Brief 19

Unify security everywhere with
Table of contents

Cloudflare

Cloudflare offers composable, scalable Everywhere Security

to help reduce complexity and accelerate business innovation.
Our cloud platform unifies many security capabilities and
harnesses real-time threat intelligence to enforce low-touch,
high-efficacy protections across users, applications, and
corporate networks.

Protect People Protect Apps Protect Networks

Explore how to enforce security Secure access on any Defend APIs, availability, Deliver safer, faster
without compromising innovation device for employees, and data in self-hosted, SaaS, connectivity across offices,
contractors, and developers and cloud environments data centers, and clouds

SSE WAAP SASE

Zero Trust Access WAF & Bot Mgmt NaaS & Multicloud
Contact us today for a consultation Secure Web Gateway API Security FWaaS & IDS/IPS
CASB & DLP L7 DDoS Protection L3 DDoS Protection
Cloud Email Security Client-Side Security Network Interconnect
Browser Isolation Attack Surface Mgmt Smart Routing

All services with one control plane on one programmable global cloud network

Cloudflare Security Brief 20

APPENDICES Table of contents

Phishing definitions
Account compromise — When an attacker takes control of a impersonated brand but with a different top level domain (TLD). higher score. Domains with low reputation scores are often used in
user’s email account. This is also referred to as Email Account These techniques can be leveraged throughout all sections of an attacks.
Compromise (EAC), which is a close relative of Business Email email, including the sender display name, email address (including
Compromise (BEC). Attackers use a wide array of techniques such the sender domain name), subject line, body content (HTML and Extortion — This tactic is commonly used to force a person or
as dictionary brute forcing, credential harvesting attacks, and plaintext), hypertext for links, and hyperlinks themselves (i.e., the organization to perform a set of actions they would not otherwise
credential theft. The essential details are that a user’s email account actual URLs). normally perform. This is typically done under duress; for example,
credentials become compromised through malicious actions. asking the intended victim to pay a ransom during a DDoS attack.
Subsequently, the attacker uses that account to send malicious Business email compromise (BEC) — An increasingly common, The level of extortion can lead to a wide range of compromise
content to new targets. effective, and costly targeted email attack designed to trick depending on the attacker’s intentions and resources. Identity
recipients into transferring funds, typically through forged invoices, deception — This occurs when an attacker or someone with
ASN reputation — The overall score assigned to an Autonomous to scammer accounts. BEC falls into various categories based on its malicious intent sends an email claiming to be someone else. The
System Number (ASN) based on behavior. For example, ASNs from sophistication, ranging from using a spoofed email to compromising mechanisms and tactics of this vary widely. Some tactics include
which high volumes of spam or malicious emails originate, will tend a vendor in a supply chain attack. registering domains that look similar (aka domain impersonation),
to have poorer reputations and thus lower scores. ASNs with low are spoofed, or utilize display name tricks to appear to be sourced
reputation scores are often used in attacks. Credential harvesters — Sites set up by an attacker to deceive from a trusted domain. Other variations include sending email using
users into providing their login credentials. This particular attack domain fronting and high-reputation web services platforms.
Attachment — Any file attached to an email that, when opened or presents the user with a page that imitates an email or other
executed in the context of an attack, includes a call-to-action (e.g., account login page. Unwitting users may enter their credentials, Scam — A broad category of phishing fraud. The foundation is to
lures target to click a link) or performs a series of actions set by ultimately providing attackers with access to their accounts. entice a victim to provide money under a promise of a product,
an attacker. If the intended victim opens an attachment or clicks Because people often reuse passwords for multiple accounts, a service, good, or even significant sum of money in return. The
a malicious attachment link, they may ultimately install a piece of member of your organization providing credentials to a harvester common theme is the transfer of money in a method that is atypical
malware that could lead to ransomware or follow-on operations may give an attacker access to many accounts. for the sender. Changes in common payment practices or sudden
through backdoors and RATs. demands to pay sums via wire transfer can also be indicators.
Deceptive link — When clicked, a deceptive link will open the user’s
Brand impersonation — A form of identity deception where default web browser and render the data referenced in the link, Voice phishing — Also called “vishing,” this usually refers to the
an attacker sends a phishing message that impersonates a or open an application directly (e.g. a PDF). Since the display text practice of leaving fake voice messages in hopes that victims
recognizable company or brand. Brand impersonation is conducted for a link (i.e., hypertext) in HTML can be arbitrarily set, attackers will call back to provide personal information (such as) bank and
using a wide range of techniques. A common one is display name can make a URL appear as if it links to a benign site when, in fact, credit card details), which will be used in other attacks. In our
spoofing, where the sender display name in the visible email it is actually malicious. Malicious links can lead to arbitrary code email security detections, we have observed attackers combining
headers includes a legitimate brand. In addition, attackers might execution or Remote Code Execution (RCE), credential harvesting, email and voice vectors by sending emails with attachments of
use domain impersonation. In this case, the attacker registers a click fraud, unwanted installs, and other compromises. a voicemail recording, media file or a link to a file. We have also
domain that looks similar to the impersonated brand’s domain, and observed attackers sending emails that had no malicious payloads,
uses it to send phishing messages. Domain age (related to domain reputation) — The overall score just a phone number
assigned to a domain. For example, domains that send out a large
Attackers often use various forms of obfuscation, such as number of new emails immediately after domain registration will
homograph spoofing, in brand impersonation attacks. They might tend to have a poorer reputation, and thus a lower score. Whereas
also register the exact same domain name as that used by the older, known domains tend to have a positive reputation, and thus a

Cloudflare Security Brief 21

APPENDICES Table of contents

Endnotes
1. Jetbrains disclosed CVE-2024-27198 on March 4th, 2024 6. Source: CVE Details
at 14:59. Rapid7 published a proof-of-concept analysis
7. Source: Edgescan, 2024 Vulnerability Statistics Report
of CVE-2024-2178 several hours later at 19:23 UTC. At
19:45 UTC, Cloudflare observed attempted exploitation 8. Source: Google, We’re All in this Together A Year in
of the vulnerability. Review of Zero-Days Exploited In-the-Wild in 2023

2. Based on a sample of threat indicators (“categories”) 9. Between April 1, 2023 - March 31, 2024, API traffic with
detected by the Cloudflare email security service successful responses (200 status code) represented
between April 1, 2023 - March 31, 2024,. These a median 58% of Cloudflare’s dynamic HTTP traffic.
indicators lead to email dispositions of malicious, BEC, Dynamic content is content that changes based on
spoof, or spam. Individual messages may contain factors specific to the user, such as time of visit, location,
multiple threat categories such as “Identity Deception”, and device.
“Brand Impersonation”, “Link”, and others that are
10. Source: IDC Forecasts Spending on GenAI Solutions Will
described in the appendix.
Reach $143 Billion in 2027 with a Five-Year Compound
3. For REST API endpoints, Cloudflare’s API Discovery Annual Growth Rate of 73.3%
found on median 33% more endpoints through machine
11. Source: Oligo, ShellTorch: Multiple Critical Vulnerabilities
learning than we discovered via customer-provided in PyTorch TorchServe Threatens Countless AI Users
session identifiers across all customers’ domains/zones,
per account, over the time period April 1, 2023 - March
31, 2024

4. Source: Enterprise Strategy Group, a division of

TechTarget, Inc. Research Survey, Cloudflare Zero Trust
for the Workforce Survey, May 2024.

5. Source: Open AI Status Page

Cloudflare Security Brief 22

 Table of contents

© 2024 Cloudflare Inc. All rights reserved.

The Cloudflare logo is a trademark of Cloudflare. All other
company and product names may be trademarks of the
respective companies with which they are associated.

Call: 1 888 99 FLARE

Email: enterprise@[Link]
Cloudflare Security Brief
Visit: [Link] 23
REV:BDES-5586.2024MAY01