AI has reset expectations and that paradigm is breaking: how we search for information has fundamentally changed.

Users no longer want to search websites the old way. They’re used to interacting with AI systems like Copilot, Claude, and ChatGPT, where they can simply ask a question and get an answer. We’ve moved from search engines to answer engines. 

At the same time, websites now have a new class of visitors, AI agents. Agents face the same pain with keyword search: they have to issue keyword queries, click through links, and scrape pages to piece together answers. But they also need more: a structured way to ask questions and get reliable answers across websites. This means that websites need a way to give the agents they trust controlled access, so that information is retrieved accurately.

Website owners need a way to participate in this shift.

If AI has reset expectations, what comes next? To meet both people and agents where they are, websites need more than incremental upgrades to keyword search. They need a model that makes conversational access to content a first-class part of the web itself.

That’s what we want to deliver: combining an open standard (NLWeb) with the infrastructure (AutoRAG) to make it simple for any website to become AI-ready.

NLWeb is an open project developed by Microsoft that defines a standard protocol for natural-language queries on websites. Each NLWeb instance also operates as a Model Context Protocol (MCP) server. Cloudflare is building to this spec and actively working with Microsoft to extend the standard with the goal to let every site function like an AI app, so users and agents alike can query its contents naturally.

AutoRAG, Cloudflare’s managed retrieval engine, can automatically crawl your website, store the content in R2, and embed it into a managed vector database. AutoRAG keeps the index fresh with continuous re-crawling and re-indexing. Model inference and embedding can be served through Workers AI. Each AutoRAG is paired with an AI Gateway that can provide observability and insights into your AI model usage. This gives you a complete, managed pipeline for conversational search without the burden of managing custom infrastructure.

“Together, NLWeb and AutoRAG let publishers go beyond search boxes, making conversational interfaces for websites simple to create and deploy. This integration will enable every website to easily become AI-ready for both people and trusted agents.” – R.V. Guha, creator of NLWeb, CVP and Technical Fellow at Microsoft. 

We are optimistic this will open up new monetization models for publishers:

"The challenges publishers have faced are well known, as are the risks of AI accelerating the collapse of already challenged business models. However, with NLWeb and AutoRAG, there is an opportunity to reset the nature of relationships with audiences for the better. More direct engagement on Publisher Owned and Operated (O&O) environments, where audiences value the brand and voice of the Publisher, means new potential for monetization. This would be the reset the entire industry needs."  – Joe Marchese, General & Build Partner at Human Ventures.

By combining NLWeb's standard with Cloudflare’s AutoRAG infrastructure, we’re making it possible to  easily bring conversational search to any website.

Simply select your domain in AutoRAG, and it will crawl and index your site for semantic querying. It then deploys a Cloudflare Worker, which acts as the access layer. This Worker implements the NLWeb standard and UI defined by the NLWeb project and exposes your indexed content to both people and AI agents. The Worker includes:

• `/ask` endpoint: The defined standard for how conversational web searches should be served. Powers the conversational UI at the root `/` as well as the embeddable preview at `/snippet.html`. It supports chat history so queries can build on one another within the same session, and includes automatic query decontextualization to improve retrieval quality.

• `/mcp` endpoint: Implements an MCP server that trusted AI agents can connect to for structured access.

With this setup, your site content is immediately available in two ways for you to experiment: through a conversational UI that you can serve to your visitors, and through a structured MCP interface that lets trusted agents query your site reliably on your terms.

Additionally, if you prefer to deploy and host your own version of the NLWeb project, there’s also the option to use AutoRAG as the retrieval engine powering the NLWeb instance.

From your perspective, making your site conversational is just a single click. Behind the scenes, AutoRAG spins up a full retrieval pipeline to make that possible:

1. Crawling and ingestion: AutoRAG explores your site like a search engine, following `sitemap.xml` and `robots.txt` files to understand what pages are available and allowed for crawling. From there, it follows your sitemap to discover pages within your domain (up to 100k pages). Browser Rendering is used to load each page so that it can capture dynamic, JavaScript content. Crawled pages are downloaded into an R2 bucket in your account before being ingested. 

2. Continuous Indexing: Once ingested, the content is parsed and embedded into Vectorize, making it queryable beyond keyword matching through semantic search. AutoRAG automatically re-crawls and re-indexes to keep your knowledge base aligned with your latest content.

3. Access & Observability: A Cloudflare Worker is deployed in your account to serve as the access layer that implements the NLWeb protocol (you can also find the deployable Worker in the Workers templates repository). Workers AI is used to seamlessly power the summarization and decontextualized query capabilities to improve responses. Soon, with the AI Gateway and Secret Store BYO keys, you’ll be able to connect models from any provider and select them directly in the AutoRAG dashboard.

Until now, AutoRAG only supported R2 as a data source. That worked well for structured files, but we needed to make a website itself a first-class data source to be indexed and searchable. Making that possible meant building website crawling into AutoRAG and strengthening the system to handle large, dynamic sources like websites.

Before implementing our web crawler, we needed to improve the reliability of data syncs. Prior users of AutoRAG lacked visibility into when indexing syncs ran and whether they were successful. To fix this, we introduced a Job module to track all syncs, store history, and provide logs. This required two new Durable Objects to be added into AutoRAG’s architecture:

• JobManager runs a complete sync, and its duties include queuing files, embedding content, and keeping the Vectorize database up to date.  To ensure data consistency, only one JobManager can run per RAG at a time, enforced by the RagManager (a Durable Object in our existing architecture), which cancels any running jobs before starting new ones which can be triggered either manually or by a scheduled sync.

• FileManager solved scalability issues we hit when Workers ran out of memory during parallel processing. Originally, a single Durable Object was responsible for handling multiple files, but with a 128MB memory limit it quickly became a bottleneck. The solution was to break the work apart: JobManager now distributes files across many FileManagers, each responsible for a single file. By processing 20 files in parallel through 20 different FileManagers, we expanded effective memory capacity from 128MB to roughly 2.5GB per batch.

With these improvements, we were ready to build the website parser. By reusing our existing R2-based queuing logic, we added crawling with minimal disruption:

1. A JobManager designated for a website crawl begins by reading the sitemaps associated with the RAG configuration.

2. Instead of listing objects from an R2 bucket, it queues each website link into our existing R2-based queue, using the full URL as the R2 object key.

3. From here, the process is nearly identical to our file-based sync. A FileManager picks up the job and checks if the RAG is configured for website parsing.

4. If it is, the FileManager crawls the link and places the page's HTML contents into the user's R2 bucket, again using the URL as the object key.

After these steps, we index the data and serve it at query time. This approach maximized code reuse, and any improvements to our HTML-to-Markdown conversion now benefit both file and website-based RAGs automatically.

Getting your website ready for conversational search through NLWeb and AutoRAG is simple. Here’s how:

1. In the Cloudflare Dashboard, navigate to Compute & AI > AutoRAG.

2. Select Create in AutoRAG, then choose the NLWeb Website quick deploy option.

3. Select the domain from your Cloudflare account that you want indexed.

4. Click Start indexing.

That’s it! You can now try out your NLWeb search experience via the provided link, and test out how it will look on your site by using the embeddable snippet.

We’d love to hear your feedback as you experiment with this new capability and share your thoughts with us at nlweb@cloudflare.com.

Cloudforce One is publishing the results of our investigation and real-time effort to detect, deny, degrade, disrupt, and delay threat activity by the Russia-aligned threat actor FlyingYeti during their latest phishing campaign targeting Ukraine. At the onset of Russia’s invasion of Ukraine on February 24, 2022, Ukraine introduced a moratorium on evictions and termination of utility services for unpaid debt. The moratorium ended in January 2024, resulting in significant debt liability and increased financial stress for Ukrainian citizens. The FlyingYeti campaign capitalized on anxiety over the potential loss of access to housing and utilities by enticing targets to open malicious files via debt-themed lures. If opened, the files would result in infection with the PowerShell malware known as COOKBOX, allowing FlyingYeti to support follow-on objectives, such as installation of additional payloads and control over the victim’s system.

Since April 26, 2024, Cloudforce One has taken measures to prevent FlyingYeti from launching their phishing campaign – a campaign involving the use of Cloudflare Workers and GitHub, as well as exploitation of the WinRAR vulnerability CVE-2023-38831. Our countermeasures included internal actions, such as detections and code takedowns, as well as external collaboration with third parties to remove the actor’s cloud-hosted malware. Our effectiveness against this actor prolonged their operational timeline from days to weeks. For example, in a single instance, FlyingYeti spent almost eight hours debugging their code as a result of our mitigations. By employing proactive defense measures, we successfully stopped this determined threat actor from achieving their objectives.

• On April 18, 2024, Cloudforce One detected the Russia-aligned threat actor FlyingYeti preparing to launch a phishing espionage campaign targeting individuals in Ukraine.

• We discovered the actor used similar tactics, techniques, and procedures (TTPs) as those detailed in Ukranian CERT's article on UAC-0149, a threat group that has primarily targeted Ukrainian defense entities with COOKBOX malware since at least the fall of 2023.

• From mid-April to mid-May, we observed FlyingYeti conduct reconnaissance activity, create lure content for use in their phishing campaign, and develop various iterations of their malware. We assessed that the threat actor intended to launch their campaign in early May, likely following Orthodox Easter.

• After several weeks of monitoring actor reconnaissance and weaponization activity (Cyber Kill Chain Stages 1 and 2), we successfully disrupted FlyingYeti’s operation moments after the final COOKBOX payload was built.

• The payload included an exploit for the WinRAR vulnerability CVE-2023-38831, which FlyingYeti will likely continue to use in their phishing campaigns to infect targets with malware.

• We offer steps users can take to defend themselves against FlyingYeti phishing operations, and also provide recommendations, detections, and indicators of compromise.

FlyingYeti is the cryptonym given by Cloudforce One to the threat group behind this phishing campaign, which overlaps with UAC-0149 activity tracked by CERT-UA in February and April 2024. The threat actor uses dynamic DNS (DDNS) for their infrastructure and leverages cloud-based platforms for hosting malicious content and for malware command and control (C2). Our investigation of FlyingYeti TTPs suggests this is likely a Russia-aligned threat group. The actor appears to primarily focus on targeting Ukrainian military entities. Additionally, we observed Russian-language comments in FlyingYeti’s code, and the actor’s operational hours falling within the UTC+3 time zone.

In the days leading up to the start of the campaign, Cloudforce One observed FlyingYeti conducting reconnaissance on payment processes for Ukrainian communal housing and utility services:

• April 22, 2024 – research into changes made in 2016 that introduced the use of QR codes in payment notices

• April 22, 2024 – research on current developments concerning housing and utility debt in Ukraine

• April 25, 2024 – research on the legal basis for restructuring housing debt in Ukraine as well as debt involving utilities, such as gas and electricity

Cloudforce One judges that the observed reconnaissance is likely due to the Ukrainian government’s payment moratorium introduced at the start of the full-fledged invasion in February 2022. Under this moratorium, outstanding debt would not lead to evictions or termination of provision of utility services. However, on January 9, 2024, the government lifted this ban, resulting in increased pressure on Ukrainian citizens with outstanding debt. FlyingYeti sought to capitalize on that pressure, leveraging debt restructuring and payment-related lures in an attempt to increase their chances of successfully targeting Ukrainian individuals.

The disrupted phishing campaign would have directed FlyingYeti targets to an actor-controlled GitHub page at hxxps[:]//komunalka[.]github[.]io, which is a spoofed version of the Kyiv Komunalka communal housing site https://www.komunalka.ua. Komunalka functions as a payment processor for residents in the Kyiv region and allows for payment of utilities, such as gas, electricity, telephone, and Internet. Additionally, users can pay other fees and fines, and even donate to Ukraine’s defense forces.

Based on past FlyingYeti operations, targets may be directed to the actor’s Github page via a link in a phishing email or an encrypted Signal message. If a target accesses the spoofed Komunalka platform at hxxps[:]//komunalka[.]github[.]io, the page displays a large green button with a prompt to download the document “Рахунок.docx” (“Invoice.docx”), as shown in Figure 1. This button masquerades as a link to an overdue payment invoice but actually results in the download of the malicious archive “Заборгованість по ЖКП.rar” (“Debt for housing and utility services.rar”).

Figure 1: Prompt to download malicious archive “Заборгованість по ЖКП.rar”

A series of steps must take place for the download to successfully occur:

• The target clicks the green button on the actor’s GitHub page hxxps[:]//komunalka.github[.]io

• The target’s device sends an HTTP POST request to the Cloudflare Worker worker-polished-union-f396[.]vqu89698[.]workers[.]dev with the HTTP request body set to “user=Iahhdr”

• The Cloudflare Worker processes the request and evaluates the HTTP request body

• If the request conditions are met, the Worker fetches the RAR file from hxxps[:]//raw[.]githubusercontent[.]com/kudoc8989/project/main/Заборгованість по ЖКП.rar, which is then downloaded on the target’s device

Cloudforce One identified the infrastructure responsible for facilitating the download of the malicious RAR file and remediated the actor-associated Worker, preventing FlyingYeti from delivering its malicious tooling. In an effort to circumvent Cloudforce One's mitigation measures, FlyingYeti later changed their malware delivery method. Instead of the Workers domain fetching the malicious RAR file, it was loaded directly from GitHub.

During remediation, Cloudforce One recovered the RAR file “Заборгованість по ЖКП.rar” and performed analysis of the malicious payload. The downloaded RAR archive contains multiple files, including a file with a name that contains the unicode character “U+201F”. This character appears as whitespace on Windows devices and can be used to “hide” file extensions by adding excessive whitespace between the filename and the file extension. As highlighted in blue in Figure 2, this cleverly named file within the RAR archive appears to be a PDF document but is actually a malicious CMD file (“Рахунок на оплату.pdf[unicode character U+201F].cmd”).

Figure 2: Files contained in the malicious RAR archive “Заборгованість по ЖКП.rar” (“Housing Debt.rar”)

FlyingYeti included a benign PDF in the archive with the same name as the CMD file but without the unicode character, “Рахунок на оплату.pdf” (“Invoice for payment.pdf”). Additionally, the directory name for the archive once decompressed also contained the name “Рахунок на оплату.pdf”. This overlap in names of the benign PDF and the directory allows the actor to exploit the WinRAR vulnerability CVE-2023-38831. More specifically, when an archive includes a benign file with the same name as the directory, the entire contents of the directory are opened by the WinRAR application, resulting in the execution of the malicious CMD. In other words, when the target believes they are opening the benign PDF “Рахунок на оплату.pdf”, the malicious CMD file is executed.

The CMD file contains the FlyingYeti PowerShell malware known as COOKBOX. The malware is designed to persist on a host, serving as a foothold in the infected device. Once installed, this variant of COOKBOX will make requests to the DDNS domain postdock[.]serveftp[.]com for C2, awaiting PowerShell cmdlets that the malware will subsequently run.

Alongside COOKBOX, several decoy documents are opened, which contain hidden tracking links using the Canary Tokens service. The first document, shown in Figure 3 below, poses as an agreement under which debt for housing and utility services will be restructured.

Figure 3: Decoy document Реструктуризація боргу за житлово комунальні послуги.docx

The second document (Figure 4) is a user agreement outlining the terms and conditions for the usage of the payment platform komunalka[.]ua.

Figure 4: Decoy document Угода користувача.docx (User Agreement.docx)

The use of relevant decoy documents as part of the phishing and delivery activity are likely an effort by FlyingYeti operators to increase the appearance of legitimacy of their activities.

The phishing theme we identified in this campaign is likely one of many themes leveraged by this actor in a larger operation to target Ukrainian entities, in particular their defense forces. In fact, the threat activity we detailed in this blog uses many of the same techniques outlined in a recent FlyingYeti campaign disclosed by CERT-UA in mid-April 2024, where the actor leveraged United Nations-themed lures involving Peace Support Operations to target Ukraine’s military. Due to Cloudforce One’s defensive actions covered in the next section, this latest FlyingYeti campaign was prevented as of the time of publication.

Cloudforce One mitigated FlyingYeti’s campaign through a series of actions. Each action was taken to increase the actor’s cost of continuing their operations. When assessing which action to take and why, we carefully weighed the pros and cons in order to provide an effective active defense strategy against this actor. Our general goal was to increase the amount of time the threat actor spent trying to develop and weaponize their campaign.

We were able to successfully extend the timeline of the threat actor’s operations from hours to weeks. At each interdiction point, we assessed the impact of our mitigation to ensure the actor would spend more time attempting to launch their campaign. Our mitigation measures disrupted the actor’s activity, in one instance resulting in eight additional hours spent on debugging code.

Due to our proactive defense efforts, FlyingYeti operators adapted their tactics multiple times in their attempts to launch the campaign. The actor originally intended to have the Cloudflare Worker fetch the malicious RAR file from GitHub. After Cloudforce One interdiction of the Worker, the actor attempted to create additional Workers via a new account. In response, we disabled all Workers, leading the actor to load the RAR file directly from GitHub. Cloudforce One notified GitHub, resulting in the takedown of the RAR file, the GitHub project, and suspension of the account used to host the RAR file. In return, FlyingYeti began testing the option to host the RAR file on the file sharing sites pixeldrain and Filemail, where we observed the actor alternating the link on the Komunalka phishing site between the following:

• hxxps://pixeldrain[.]com/api/file/ZAJxwFFX?download=one

• hxxps://1014.filemail[.]com/api/file/get?filekey=e_8S1HEnM5Rzhy_jpN6nL-GF4UAP533VrXzgXjxH1GzbVQZvmpFzrFA&pk_vid=a3d82455433c8ad11715865826cf18f6

We notified GitHub of the actor’s evolving tactics, and in response GitHub removed the Komunalka phishing site. After analyzing the files hosted on pixeldrain and Filemail, we determined the actor uploaded dummy payloads, likely to monitor access to their phishing infrastructure (FileMail logs IP addresses, and both file hosting sites provide view and download counts). At the time of publication, we did not observe FlyingYeti upload the malicious RAR file to either file hosting site, nor did we identify the use of alternative phishing or malware delivery methods.

A timeline of FlyingYeti’s activity and our corresponding mitigations can be found below.

Cloudforce One leveraged industry relationships to provide advanced warning and to mitigate the actor’s activity. To further protect the intended targets from this phishing threat, Cloudforce One notified and collaborated closely with GitHub’s Threat Intelligence and Trust and Safety Teams. We also notified CERT-UA and Cloudflare industry partners such as CrowdStrike, Mandiant/Google Threat Intelligence, and Microsoft Threat Intelligence.

There are several ways to hunt FlyingYeti in your environment. These include using PowerShell to hunt for WinRAR files, deploying Microsoft Sentinel analytics rules, and running Splunk scripts as detailed below. Note that these detections may identify activity related to this threat, but may also trigger unrelated threat activity.

Consider running a PowerShell script such as this one in your environment to identify exploitation of CVE-2023-38831. This script will interrogate WinRAR files for evidence of the exploit.

CVE-2023-38831
Description:winrar exploit detection 
open suspios (.tar / .zip / .rar) and run this script to check it 

function winrar-exploit-detect(){
$targetExtensions = @(".cmd" , ".ps1" , ".bat")
$tempDir = [System.Environment]::GetEnvironmentVariable("TEMP")
$dirsToCheck = Get-ChildItem -Path $tempDir -Directory -Filter "Rar*"
foreach ($dir in $dirsToCheck) {
    $files = Get-ChildItem -Path $dir.FullName -File
    foreach ($file in $files) {
        $fileName = $file.Name
        $fileExtension = [System.IO.Path]::GetExtension($fileName)
        if ($targetExtensions -contains $fileExtension) {
            $fileWithoutExtension = [System.IO.Path]::GetFileNameWithoutExtension($fileName); $filename.TrimEnd() -replace '\.$'
            $cmdFileName = "$fileWithoutExtension"
            $secondFile = Join-Path -Path $dir.FullName -ChildPath $cmdFileName
            
            if (Test-Path $secondFile -PathType Leaf) {
                Write-Host "[!] Suspicious pair detected "
                Write-Host "[*]  Original File:$($secondFile)" -ForegroundColor Green 
                Write-Host "[*] Suspicious File:$($file.FullName)" -ForegroundColor Red

                # Read and display the content of the command file
                $cmdFileContent = Get-Content -Path $($file.FullName)
                Write-Host "[+] Command File Content:$cmdFileContent"
            }
        }
    }
}
}
winrar-exploit-detect

Microsoft Sentinel

In Microsoft Sentinel, consider deploying the rule provided below, which identifies WinRAR execution via cmd.exe. Results generated by this rule may be indicative of attack activity on the endpoint and should be analyzed.

DeviceProcessEvents
| where InitiatingProcessParentFileName has @"winrar.exe"
| where InitiatingProcessFileName has @"cmd.exe"
| project Timestamp, DeviceName, FileName, FolderPath, ProcessCommandLine, AccountName
| sort by Timestamp desc

Splunk

Consider using this script in your Splunk environment to look for WinRAR CVE-2023-38831 execution on your Microsoft endpoints. Results generated by this script may be indicative of attack activity on the endpoint and should be analyzed.

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=winrar.exe `windows_shells` OR Processes.process_name IN ("certutil.exe","mshta.exe","bitsadmin.exe") by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `winrar_spawning_shell_application_filter`

Cloudflare Email Security (CES) customers can identify FlyingYeti threat activity with the following detections.

• CVE-2023-38831

• FLYINGYETI.COOKBOX

• FLYINGYETI.COOKBOX.Launcher

• FLYINGYETI.Rar

Cloudflare recommends taking the following steps to mitigate this type of activity:

• Implement Zero Trust architecture foundations:    

• Deploy Cloud Email Security to ensure that email services are protected against phishing, BEC and other threats

• Leverage browser isolation to separate messaging applications like LinkedIn, email, and Signal from your main network

• Scan, monitor and/or enforce controls on specific or sensitive data moving through your network environment with data loss prevention policies

• Ensure your systems have the latest WinRAR and Microsoft security updates installed

• Consider preventing WinRAR files from entering your environment, both at your Cloud Email Security solution and your Internet Traffic Gateway

• Run an Endpoint Detection and Response (EDR) tool such as CrowdStrike or Microsoft Defender for Endpoint to get visibility into binary execution on hosts

• Search your environment for the FlyingYeti indicators of compromise (IOCs) shown below to identify potential actor activity within your network.

If you’re looking to uncover additional Threat Intelligence insights for your organization or need bespoke Threat Intelligence information for an incident, consider engaging with Cloudforce One by contacting your Customer Success manager or filling out this form.

The crown jewels for an organization are often data, and the first step in protection should be locating where the most critical information lives. Yet, maintaining a thorough inventory of sensitive data is harder than it seems and generally a massive lift for security teams. To help overcome data security troubles, Microsoft offers their customers data classification and protection tools. One popular option are the sensitivity labels available with Microsoft Purview Information Protection. However, customers need the ability to track sensitive data movement even as it migrates beyond the visibility of Microsoft.

Today, we are excited to announce that Cloudflare One now offers Data Loss Prevention (DLP) detections for Microsoft Purview Information Protection labels. Simply integrate with your Microsoft account, retrieve your labels, and build rules to guide the movement of your labeled data. This extends the power of Microsoft’s labels to any of your corporate traffic in just a few clicks.

Every organization has a wealth of data to manage, from publicly accessible data, like documentation, to internal data, like the launch date of a new product. Then, of course, there is the data requiring the highest levels of protection, such as customer PII. Organizations are responsible for confining data to the proper destinations while still supporting accessibility and productivity, which is no small feat.

Microsoft Purview Information Protection offers sensitivity labels to let you classify your organization's data. With these labels, Microsoft provides the ability to protect sensitive data, while still enabling productivity and collaboration. Sensitivity labels can be used in a number of Microsoft applications, which includes the ability to apply the labels to Microsoft Office documents. The labels correspond to the sensitivity of the data within the file, such as Public, Confidential, or Highly Confidential.

The labels are embedded in a document’s metadata and are preserved even when it leaves the Microsoft environment, such as a download from OneDrive.

Cloudflare One, our SASE platform that delivers network-as-a-service (NaaS) with Zero Trust security natively built-in, connects users to enterprise resources, and offers a wide variety of opportunities to secure corporate traffic, including the inspection of data moving across the Microsoft productivity suite. We’ve designed Cloudflare One to act as a single pane of glass for your organization. This means that after you’ve deployed any of our Zero Trust services, whether that be Zero Trust Network Access or Secure Web Gateway, you are clicks, not months, away from deploying Data Loss Prevention, Cloud Access Security Broker, Email Security, and Browser Isolation to enhance your Microsoft security and overall data protection.

Specifically, Cloudflare’s API-driven Cloud Access Security Broker (CASB) can scan SaaS applications like Microsoft 365 for misconfigurations, unauthorized user activity, shadow IT, and other data security issues that can occur after a user has successfully logged in.

With this new integration, CASB can now also retrieve Information Protection labels from your Microsoft account. If you have labels configured, upon integration, CASB will automatically populate the labels into a Data Loss Prevention profile.

DLP profiles are the building blocks for applying DLP scanning. They are where you identify the sensitive data you want to protect, such as Microsoft labeled data, credit card numbers, or custom keywords. Your labels are stored as entries within the Microsoft Purview Information Protection Sensitivity Labels profile using the name of your CASB integration. You can also add the labels to custom DLP profiles, of  fering more detection flexibility.

You can now extend the power of Microsoft’s labels to protect your data as it moves to other platforms. By building DLP rules, you determine how labeled data can move around and out of your corporate network. Perhaps you don’t want to allow Highly Confidential labels to be downloaded from your OneDrive account, or you don’t want any data more sensitive than Confidential to be uploaded to file sharing sites that you don’t use. All of this can be implemented using DLP and Cloudflare Gateway.

Simply navigate to your Gateway Firewall Policies and start implementing building rules using your DLP profiles:

To get access to DLP, reach out for a consultation, or contact your account manager.

As CIOs navigate the complexities of stitching together multiple solutions, we are extending our partnership with Microsoft to create one of the best Zero Trust solutions available. Today, we are announcing four new integrations between Azure AD and Cloudflare Zero Trust that reduce risk proactively. These integrated offerings increase automation allowing security teams to focus on threats versus implementation and maintenance.

Zero Trust is an overused term in the industry and creates a lot of confusion. So, let's break it down. Zero Trust architecture emphasizes the “never trust, always verify” approach. One way to think about it is that in the traditional security perimeter or “castle and moat” model, you have access to all the rooms inside the building (e.g., apps) simply by having access to the main door (e.g., typically a VPN).  In the Zero Trust model you would need to obtain access to each locked room (or app) individually rather than only relying on access through the main door. Some key components of the Zero Trust model are identity e.g., Azure AD (who), apps e.g., a SAP instance or a custom app on Azure (applications), policies e.g. Cloudflare Access rules (who can access what application), devices e.g. a laptop managed by Microsoft Intune (the security of the endpoint requesting the access) and other contextual signals.

Zero Trust is even more important today since companies of all sizes are faced with an accelerating digital transformation and an increasingly distributed workforce. Moving away from the castle and moat model, to the Internet becoming your corporate network, requires security checks for every user accessing every resource. As a result, all companies, especially those whose use of Microsoft’s broad cloud portfolio is increasing, are adopting a Zero Trust architecture as an essential part of their cloud journey.

Cloudflare’s Zero Trust platform provides a modern approach to authentication for internal and SaaS applications. Most companies likely have a mix of corporate applications - some that are SaaS and some that are hosted on-premise or on Azure. Cloudflare’s Zero Trust Network Access (ZTNA) product as part of our Zero Trust platform makes these applications feel like SaaS applications, allowing employees to access them with a simple and consistent flow. Cloudflare Access acts as a unified reverse proxy to enforce access control by making sure every request is authenticated, authorized, and encrypted.

We have thousands of customers using Azure AD and Cloudflare Access as part of their Zero Trust architecture. Our partnership with Microsoft  announced last year strengthened security without compromising performance for our joint customers. Cloudflare’s Zero Trust platform integrates with Azure AD, providing a seamless application access experience for your organization's hybrid workforce.

As a recap, the integrations we launched solved two key problems:

1. For on-premise legacy applications, Cloudflare’s participation as Azure AD secure hybrid access partner enabled customers to centrally manage access to their legacy on-premise applications using SSO authentication without incremental development. Joint customers now easily use Cloudflare Access as an additional layer of security with built-in performance in front of their legacy applications.

2. For apps that run on Microsoft Azure, joint customers can integrate Azure AD with Cloudflare Zero Trust and build rules based on user identity, group membership and Azure AD Conditional Access policies. Users will authenticate with their Azure AD credentials and connect to Cloudflare Access with just a few simple steps using Cloudflare’s app connector, Cloudflare Tunnel, that can expose applications running on Azure. See guide to install and configure Cloudflare Tunnel.

Recognizing Cloudflare's innovative approach to Zero Trust and Security solutions, Microsoft awarded us the Security Software Innovator award at the 2022 Microsoft Security Excellence Awards, a prestigious classification in the Microsoft partner community.

But we aren’t done innovating. We listened to our customers’ feedback and to address their pain points are announcing several new integrations.

The four new integrations we are announcing today are:

1. Per-application conditional access: Azure AD customers can use their existing Conditional Access policies in Cloudflare Zero Trust.

Azure AD allows administrators to create and enforce policies on both applications and users using Conditional Access. It provides a wide range of parameters that can be used to control user access to applications (e.g. user risk level, sign-in risk level, device platform, location, client apps, etc.). Cloudflare Access now supports Azure AD Conditional Access policies per application. This allows security teams to define their security conditions in Azure AD and enforce them in Cloudflare Access.

For example, customers might have tighter levels of control for an internal payroll application and hence will have specific conditional access policies on Azure AD. However, for a general info type application such as an internal wiki, customers might enforce not as stringent rules on Azure AD conditional access policies. In this case both app groups and relevant Azure AD conditional access policies can be directly plugged into Cloudflare Zero Trust seamlessly without any code changes.

**2. **SCIM****: Autonomously synchronize Azure AD groups between Cloudflare Zero Trust and Azure AD, saving hundreds of hours in the CIO org.

Cloudflare Access policies can use Azure AD to verify a user's identity and provide information about that user (e.g., first/last name, email, group membership, etc.). These user attributes are not always constant, and can change over time. When a user still retains access to certain sensitive resources when they shouldn’t, it can have serious consequences.

Often when user attributes change, an administrator needs to review and update all access policies that may include the user in question. This makes for a tedious process and an error-prone outcome.

The SCIM (System for Cross-domain Identity Management) specification ensures that user identities across entities using it are always up-to-date. We are excited to announce that joint customers of Azure AD and Cloudflare Access can now enable SCIM user and group provisioning and deprovisioning. It will accomplish the following:

• The IdP policy group selectors are now pre-populated with Azure AD groups and will remain in sync. Any changes made to the policy group will instantly reflect in Access without any overhead for administrators.

• When a user is deprovisioned on Azure AD, all the user's access is revoked across Cloudflare Access and Gateway. This ensures that change is made in near real time thereby reducing security risks.

**3. **Risky user isolation****: Helps joint customers add an extra layer of security by isolating high risk users (based on AD signals) such as contractors to browser isolated sessions via Cloudflare’s RBI product.

Azure AD classifies users into low, medium and high risk users based on many data points it analyzes. Users may move from one risk group to another based on their activities. Users can be deemed risky based on many factors such as the nature of their employment i.e. contractors, risky sign-in behavior, credential leaks, etc. While these users are high-risk, there is a low-risk way to provide access to resources/apps while the user is assessed further.

We now support integrating Azure AD groups with Cloudflare Browser Isolation. When a user is classified as high-risk on Azure AD, we use this signal to automatically isolate their traffic with our Azure AD integration. This means a high-risk user can access resources through a secure and isolated browser. If the user were to move from high-risk to low-risk, the user would no longer be subjected to the isolation policy applied to high-risk users.

4. Secure joint Government Cloud customers: Helps Government Cloud customers achieve better security with centralized identity & access management via Azure AD, and an additional layer of security by connecting them to the Cloudflare global network, not having to open them up to the whole Internet.

Via Secure Hybrid Access (SHA) program, Government Cloud (‘GCC’) customers will soon be able to integrate Azure AD with Cloudflare Zero Trust and build rules based on user identity, group membership and Azure AD conditional access policies. Users will authenticate with their Azure AD credentials and connect to Cloudflare Access with just a few simple steps using Cloudflare Tunnel that can expose applications running on Microsoft Azure.

“Digital transformation has created a new security paradigm resulting in organizations accelerating their adoption of Zero Trust. The Cloudflare Zero Trust and Azure Active Directory joint solution has been a growth enabler for Swiss Re by easing Zero Trust deployments across our workforce allowing us to focus on our core business. Together, the joint solution enables us to go beyond SSO to empower our adaptive workforce with frictionless, secure access to applications from anywhere. The joint solution also delivers us a holistic Zero Trust solution that encompasses people, devices, and networks.”– Botond Szakács, Director, Swiss Re

“A cloud-native Zero Trust security model has become an absolute necessity as enterprises continue to adopt a cloud-first strategy. Cloudflare has developed robust product integrations with Microsoft to help security and IT leaders prevent attacks proactively, dynamically control policy and risk, and increase automation in alignment with zero trust best practices.”– Joy Chik, President, Identity & Network Access, Microsoft

Interested in learning more about how our Zero Trust products integrate with Azure Active Directory? Take a look at this extensive reference architecture that can help you get started on your Zero Trust journey and then add the specific use cases above as required. Also, check out this joint webinar with Microsoft that highlights our joint Zero Trust solution and how you can get started.

We are just getting started. We want to continue innovating and make the Cloudflare Zero Trust and Microsoft Security joint solution to solve your problems. Please give us feedback on what else you would like us to build as you continue using this joint solution.

Today, we are very excited to announce our new integration with Microsoft Endpoint Manager (Intune). This integration combines the power of Cloudflare’s expansive network and Zero Trust suite, with Endpoint Manager. Via our existing Intune integration, joint customers can check if a device management profile such as Intune is running on the device or not and grant access accordingly.

With this expanded integration, joint customers can identify, investigate, and remediate threats faster. The integration also includes the latest information from Microsoft Graph API which provides many added, real-time device posture assessments and enables organizations to verify users' device posture before granting access to internal or external applications.

"In today’s work-from-anywhere business culture, the risk of compromise has substantially increased as employees and their devices are continuously surrounded by a hostile threat environment outside the traditional castle-and-moat model. By expanding our integration with Cloudflare, we are making it easier for joint customers to strengthen their Zero Trust security posture across all endpoints and their entire corporate network."– Dave Randall, Sr Program Manager, Microsoft Endpoint Manager

Before we get deep into how the integration works, let’s first recap Cloudflare’s Zero Trust Services.

Cloudflare Access determines if a user should be allowed access to an application or not. It uses our global network to check every request or connection for identity, device posture, location, multifactor method, and many more attributes to do so. Access also logs every request and connection — providing administrators with high-visibility. The upshot of all of this: it enables customers to deprecate their legacy VPNs.

Cloudflare Gateway protects users as they connect to the rest of the Internet. Instead of backhauling traffic to a centralized location, users connect to a nearby Cloudflare data center where we apply one or more layers of security, filtering, and logging, before accelerating their traffic to its final destination.

Cloudflare’s customers can now build Access and Gateway policies based on the device being managed by Endpoint Manager (Intune) with a compliance policy defined. In conjunction with our Zero Trust client, we are able to leverage the enhanced telemetry that Endpoint Manager (Intune) provides surrounding a user’s device.

Microsoft’s Graph API delivers continuous real-time security posture assessments such as Compliance State across all endpoints in an organization regardless of the location, network or user. Those key additional device posture data enable enforcement of conditional policies based on device health and compliance checks to mitigate risks. These policies are evaluated each time a connection request is made, making the conditional access adaptive to the evolving condition of the device.

With this integration, organizations can build on top of their existing Cloudflare Access and Gateway policies ensuring that a ‘Compliance State’ has been met before a user is granted access. Because these policies work across our entire Zero Trust platform, organizations can use these to build powerful rules invoking Browser Isolation, tenant control, antivirus or any part of their Cloudflare deployment.

Customers using our Zero Trust suite can add Microsoft Intune as a device posture provider in the Cloudflare Zero Trust dashboard under Settings → Devices → Device Posture Providers. The details required from the Microsoft Endpoint Manager admin center to set up policies on Cloudflare dashboard include: ClientID, Client Secret, and Customer ID.

After creating the Microsoft Endpoint Manager Posture Provider, customers can create specific device posture checks requiring users’ devices to meet certain criteria such as device ‘Compliance State’.

These rules can now be used to create conditional Access and Gateway policies to allow or deny access to applications, networks, or sites. Administrators can choose to block or isolate users or user groups with malicious or insecure devices.

In the coming months, we will be further strengthening our integrations with the Microsoft Graph API by allowing customers to correlate many other fields in the Graph API to enhance our joint customers’ security policies.

If you’re using Cloudflare Zero Trust products today and are interested in using this integration with Microsoft Intune, please visit our documentation to learn about how you can enable it. If you want to learn more or have additional questions, please fill out the form or get in touch with your Cloudflare CSM or AE, and we'll be happy to help you.

We are excited to announce that Cloudflare has joined the Microsoft 365 Networking Partner Program (NPP).  Cloudflare One, which provides an optimized path for traffic from Cloudflare customers to Microsoft 365, recently qualified for the NPP by demonstrating that on-ramps through Cloudflare’s network help optimize user connectivity to Microsoft.

Customers who deploy Cloudflare One give their team members access to the world’s fastest network, on average, as their on-ramp to the rest of the Internet. Users connect from their devices or offices and reach Cloudflare’s network in over 250 cities around the world. Cloudflare’s network accelerates traffic to its final destination through a combination of intelligent routing and software improvements.

We’re also excited that, in many cases, the final destination that a user visits already sits on Cloudflare’s network. Cloudflare serves over 28M HTTP requests per second, on average, for the millions of customers who secure their applications on our network. When those applications do not run on our network, we can rely on our own global private backbone and our connectivity with over 10,000 networks globally to connect the user.

For Microsoft 365 traffic, we focus on breaking out traffic as locally and direct as possible to bring users to the productivity tools they need without slowing them down. Legacy security solutions can introduce additional hops or backhauling that slows down connectivity to tools like Microsoft 365. With Cloudflare One, we provide the flexibility to identify that traffic and give it the most direct path to Microsoft’s own network of service endpoints around the world.

With this setting, trusted traffic to Microsoft uses the most direct path without additional processing. However, the rest of the Internet should not be trusted. Cloudflare’s network also secures the connections, queries, and requests your teams make to protect organizations from attacks and data loss. We can do that without slowing users down because we deliver that security in the data centers at our edge.

SaaS applications delivered over the Internet can make any device with a browser into a workstation. However, that also means that those same devices can connect to the rest of the Internet. Attackers try to lure users into lookalike sites to steal credentials, or they attempt to have users download malware to compromise the device. Either type of attack can put the data stored in SaaS applications at risk.

Cloudflare helps organizations stop those types of attacks through a defense-in-depth strategy. First, Cloudflare starts by delivering a next-generation network firewall in our data centers, filtering traffic for connections to potentially dangerous destinations. Next, Cloudflare runs the world’s fastest DNS resolver and combines it with the data we see about the rest of the Internet to filter queries to phishing domains or sites that host malware.

Finally, Cloudflare’s Secure Web Gateway can inspect HTTP traffic for data loss, viruses, or can choose to isolate the browser for specific sites or entire categories. While Cloudflare’s network secures users from attacks on the rest of the Internet, Cloudflare One ensures that users have a direct, unfettered connection to the Microsoft 365 tools they need.

With traffic secured, Cloudflare can also give administrators visibility into the other applications used in their organization. Without any additional software or features, Cloudflare uses its Zero Trust security suite to analyze and categorize the requests to all applications in a comprehensive Shadow IT report. Administrators can mark applications as approved, unapproved, or unknown and pending investigation so for example Administrators could mark Microsoft 365 traffic as approved -- which is also the default setting in deployments that use the one-click enablement being released today.

In some cases, that visibility leads to surprises. Security and IT teams discover that users are doing work in SaaS platforms that have not been reviewed and approved by the organization. In those cases, teams can use Cloudflare’s Secure Web Gateway to block requests to those destinations or just to prevent certain types of activities like blocking file uploads to tools other than OneDrive. With Shadow IT, we can help teams that use Microsoft 365 ensure that data only stays in Microsoft 365.

Cloudflare has joined the Microsoft 365 Networking Partner Program (NPP). The program is designed to offer customers a set of partners whose deployment practices and guidance are aligned with Microsoft’s networking principles for Microsoft 365 to provide users with the best user experience. Microsoft established the NPP to work with networking companies for optimal connectivity to its service. We are excited to work with a partner whose global network and security principles align with ours.

Starting today, through Cloudflare One, organizations have the ability to ensure as direct a connection as possible for Microsoft 365 traffic. This allows our customers with our WARP client to benefit from a seamless user experience for Microsoft 365, while at the same time securing the rest of their traffic either to SaaS apps, on-prem apps or direct internet traffic through Cloudflare’s global network and security suite of products.

To do this all customers need to do is to enable the Microsoft 365 traffic optimization setting in their Cloudflare One dashboard. Via the setting even if Microsoft 365 connections are routed through the Cloudflare gateways, they are being handled with the least amount of additional overhead for example "Do not inspect" policy is automatically enabled.

It's very easy to enable with just a few clicks:

1. Log into the Cloudflare for Teams dashboard.

2. Go to Settings > Network.

3. For Exclude Office 365 traffic and Bypass Office 365 traffic, click Create entries.

“We’re thrilled to welcome Cloudflare into the Networking Partner Program for Microsoft 365,” said Scott Schnoll, Senior Product Marketing Manager, Microsoft. “Cloudflare is a valued partner that is focused on helping Microsoft 365 customers implement the Microsoft 365 Network Connectivity Principles. Microsoft only recommends Networking Partner Program member solutions for connectivity to Microsoft 365.”

Your organization can start deploying Cloudflare One today alongside your existing Microsoft 365 usage. We’re excited to work with Microsoft to give your team members fast, reliable, and secure connectivity to the tools they need to do their jobs.

Cloudflare and Microsoft Azure Active Directory have partnered to provide an integration specifically for web applications using Azure Active Directory B2C. From today, customers using both services can follow the simple integration steps to protect B2C applications with Cloudflare’s Web Application Firewall (WAF) on any custom domain. Microsoft has detailed this integration as well.

The Web Application Firewall (WAF) is a core component of the Cloudflare platform and is designed to keep any web application safe. It blocks more than 70 billion cyber threats per day. That is 810,000 threats blocked every second.

The WAF is available through an intuitive dashboard or a Terraform integration, and it enables users to build powerful rules. Every request to the WAF is inspected against the rule engine and the threat intelligence built from protecting approximately 25 million internet properties. Suspicious requests can be blocked, challenged or logged as per the needs of the user, while legitimate requests are routed to the destination regardless of where the application lives (i.e., on-premise or in the cloud). Analytics and Cloudflare Logs enable users to view actionable metrics.

The Cloudflare WAF is an intelligent, integrated, and scalable solution to protect business-critical web applications from malicious attacks, with no changes to customers' existing infrastructure.

Azure AD B2C is a customer identity management service that enables custom control of how your customers sign up, sign in, and manage their profiles when using iOS, Android, .NET, single-page (SPA), and other applications and web experiences. It uses standards-based authentication protocols including OpenID Connect, OAuth 2.0, and SAML. You can customize the entire user experience with your brand so that it blends seamlessly with your web and mobile applications. It integrates with most modern applications and commercial off-the-shelf software, providing business-to-customer identity as a service. Customers of businesses of all sizes use their preferred social, enterprise, or local account identities to get single sign-on access to their applications and APIs. It takes care of the scaling and safety of the authentication platform, monitoring and automatically handling threats like denial-of-service, password spray, or brute force attacks.

When setting up Azure AD B2C, many customers prefer to customize their authentication endpoint by hosting the solution under their own domain — for example, under store.example.com — rather than using a Microsoft owned domain. With the new partnership and integration, customers can now place the custom domain behind Cloudflare’s Web Application Firewall while also using Azure AD B2C, further protecting the identity service from sophisticated attacks.

This defense-in-depth approach allows customers to leverage both Cloudflare WAF capabilities along with Azure AD B2C native Identity Protection features to defend against cyberattacks.

Instructions on how to set up the integration are provided on the Azure website and all it requires is a Cloudflare account.

Azure customers need support for a strong set of security and performance tools once they implement Azure AD B2C in their environment. Integrating Cloudflare Web Application Firewall with Azure AD B2C can provide customers the ability to write custom security rules (including rate limiting rules), DDoS mitigation, and deploy advanced bot management features. The Cloudflare WAF works by proxying and inspecting traffic towards your application and analyzing the payloads to ensure only non-malicious content reaches your origin servers. By incorporating the Cloudflare integration into Azure AD B2C, customers can ensure that their application is protected against sophisticated attack vectors including zero-day vulnerabilities, malicious automated botnets, and other generic attacks such as those listed in the OWASP Top 10.

This integration is a great match for any B2C businesses that are looking to enable their customers to authenticate themselves in the easiest and most secure way possible.

Please give it a try and let us know how we can improve it. Reach out to us for other use cases for your applications on Azure. Register here for expressing your interest/feedback on Azure integration and for upcoming webinars on this topic.

In August, Area 1 Security researchers identified a Microsoft SharePoint phishing campaign that abused cloud computing services, such as Azure Web Sites, Google Storage, and Amazon Web Services, to host credential harvesters. Most recently, our researchers detected an updated wave of Microsoft SharePoint phish that are leveraging new COVID-19 restrictions to steal victims’ login information.

While this new COVID-19 phishing campaign is incredibly widespread, Area 1 Security noted that a majority of the targets included upper-level management and executives. The attacker may be focusing the bulk of the attacks on these individuals in order to have a better chance of gaining access to sensitive information and potentially infiltrating the target network.

This new campaign deviates from the previous “Summer Bonus” Microsoft Office 365 phishing campaign by attempting to trick targets into thinking they missed an important update to COVID-19 procedures. As seen in Figure 1, the attacker states that a purported SharePoint-hosted document was sent a week prior, creating a sense of urgency in order to lure targets into clicking on the provided link.

Figure 1. SharePoint Phishing Email

The new COVID-19 campaign contains many of the same hallmarks as the previous bonus-themed phish, such as tailoring each message to include the target’s email and company name throughout the body of the message and in the spoofed sender address. However, this time around, the attacker improved upon their formatting to appear more convincing.

As with the previous PhishPoint campaign, the attacker continues to use Virtual Private Servers (VPS) to send their phishing messages. Area 1 Security researchers identified roughly 100 unique sender addresses associated with this “COVID Requirements” campaign. The attacker used three main VPS services - CrownCloud, HostWinds, and MGNHost.

The versatility of a VPS allows the attacker to remain anonymous and also provides the ability to continually pivot to new infrastructure as soon as a phishing domain or IP address is identified as malicious.

To a lesser extent, the attackers also sent the phishing messages through a leading transactional and marketing email provider, SendGrid. This company is known for their presence, experience and expertise in email delivery. As a result, SendGrid’s domain is commonly whitelisted. For this reason, threat actors will often launch their phishing campaigns by abusing reputable providers like this.

Not only that, but with SendGrid, the message will easily pass email authentication. This demonstrates just how DMARC fails at stopping phishing attacks.

The use of SendGrid is also a clever way to circumvent Secure Email Gateways (SEGs). SEGs that predominantly depend on email authentication and sender reputation (SPF, DKIM, DMARC) will completely miss these types of phishing attacks.

Disguised as a simple “Open” button, the link in the message body leads to a spoofed Microsoft login page hosted on various cloud computing platforms, including Amazon Web Services, Google’s Appspot engine, and Firebase. These top tier, widely-used cloud services provide attackers the perfect platform for hosting their malicious content, all the while flying under the radar of legacy vendor email security solutions.

An example link, hxxps://x9n44x9nvc9nn9a4l9xa4cds[.]df[.]r[.]appspot[.]com/#redacted@redacted.com, shown in the address bar in Figure 2, further demonstrates the targeted nature of the attacks. The redacted information in the URL contains the target’s company email address. To further add legitimacy, this spoofed site is nearly identical to the real Microsoft login page. The only discernible difference is the inclusion of the word “Outlook.”

Figure 2. Spoofed Microsoft Login Portal

Figure 3 shows a portion of the source code of the spoofed login page. This section of code consists of JavaScript that attempts to mimic the functionality of the legitimate Microsoft login page.

Figure 3. JavaScript of Spoofed Login Page

The code calls a custom function responsible for extracting the victim’s email from the URL and prepopulating it in the account username field. In this function the actor left a portion of commented code (presumably used by the developer of the code for testing purposes) as highlighted in Figure 4.

Figure 4. Custom Function Containing Commented Code

The commented code specifies a link that contains the string “office1withemail” in the URL path. Pivoting on this code, Area 1 Security researchers identified a massive number of phishing attacks, dating back to at least April 2019. These attacks leveraged a large variety of phishing themes, used numerous cloud hosting and VPS providers to send the messages, and targeted a slew of industry verticals.

It's possible these attacks are the work of a single group. However, given the nature and pervasiveness of the activity - and the fact that all of the attacks used JavaScript that contained the same commented code - a phishing kit may be at play.

If the target enters their password, it is posted to a website hosted on Microsoft Azure Web Sites, for example hxxps://fajal2a2l0jj0ccf2lf020jf[.]azurewebsites[.]net/handler[.]php, as revealed in Figure 5.

Figure 5. HTTP Post of Victim Credentials

After the credentials are entered, the .ldsddddd function above displays a spinning circle next to the “Sign In” button, making it appear as if the credentials are being validated. After several seconds have passed, the error message shown in Figure 6 is displayed.

Figure 6. Error Message Displayed After Credentials Are Entered

No matter what value is entered, the victim is led to believe they provided an incorrect password. To reduce suspicion, if the victim clicks on the “Forgot my password” link, the browser redirects to the real Microsoft password reset page.

This pervasive “COVID Restrictions” campaign is an ongoing threat to many individuals and businesses alike. The use of VPS and leading email service providers, as well as abuse of multiple cloud services throughout several stages of the attack, make it a particularly difficult campaign to detect.

To make matters worse, because the URLs used in the attacks point to legitimate domains and the messages contain no malicious payloads, traditional defenses will continually miss phish like this. In fact, Microsoft’s native Office 365 email security failed to stop this phishing attack despite these red flags.

Fortunately, Area 1 Security detected this stealthy campaign and stopped these phish from reaching our customers’ inboxes.

Area 1 Security‘s advanced Machine Learning and Artificial Intelligence technology allow our algorithms to uncover new tactics malicious actors are using to bypass legacy vendors and cloud email providers in real-time versus waiting days or weeks for signature updates. Our time-zero detections lead the industry with reliable verdicts that stop phishing attempts at delivery time. This has many advantages over post-delivery retraction in that the user is never exposed to the attack.

Malicious Links:

hxxps://pidbbhitbt8007dtdhdlbhhp[.]azurewebsites[.]net/handler[.]php

hxxps://fajal2a2l0jj0ccf2lf020jf[.]azurewebsites[.]net/handler[.]php

hxxps://03ssrd3334phd00p4sh0s33drcorequemenxxkjw3450w1jklsha[.]s3-ap-southeast-1[.]amazonaws[.]com/index[.]html#@<targeted_company_domain>

hxxps://owacovctctsttc00tscqcqts0c1tq[.]s3-ap-northeast-1[.]amazonaws[.]com/index[.]html#@<targeted_company_domain>

hxxps://s3-ap-northeast-1[.]amazonaws[.]com/cxrequirement[.]sharepointeseugwpjlmahxedgkqsbjlzfgsn/index[.]html#@<targeted_company_domain>

hxxps://storage[.]cloud[.]google[.]com/owa9y0y90yh9y9ffy2990hfy90h[.]appspot[.]com/index[.]html#@<targeted_company_domain>

hxxps://storage[.]cloud[.]google[.]com/sharedpoinnlinej27pj07jjppl7jp[.]appspot[.]com/index[.]html#@<targeted_company_domain>

hxxps://storage[.]cloud[.]google[.]com/sharedpointoneqqnfcefoqi0e6cf[.]appspot[.]com/index[.]html#@<targeted_company_domain>

hxxps://storage[.]cloud[.]google[.]com/sharedpointowauthdhljd1l0tdka0[.]appspot[.]com/index[.]html#@<targeted_company_domain>

hxxps://storage[.]cloud[.]google[.]com/shonecov19dn1n1lnfflnbfblf1d[.]appspot[.]com/index[.]html#@<targeted_company_domain>

hxxps://tlook-off365-signin[.]web[.]app/#@<targeted_company_domain>

hxxps://x9n44x9nvc9nn9a4l9xa4cds[.]df[.]r[.]appspot[.]com/#@<targeted_company_domain>

hxxps://y02hh200222fyhffh90yhyhh[.]s3[.]us-east-2[.]amazonaws[.]com/index[.]html?eid=@<targeted_company_domain>

hxxp://d-nb[.]xyz/?e=@<targeted_company_domain>

Malicious Sites:

pidbbhitbt8007dtdhdlbhhp[.]azurewebsites[.]net

fajal2a2l0jj0ccf2lf020jf[.]azurewebsites[.]net

03ssrd3334phd00p4sh0s33drcorequemenxxkjw3450w1jklsha[.]s3-ap-southeast-1[.]amazonaws[.]com

owacovctctsttc00tscqcqts0c1tq[.]s3-ap-northeast-1[.]amazonaws[.]com

y02hh200222fyhffh90yhyhh[.]s3[.]us-east-2[.]amazonaws[.]com

s3-ap-northeast-1[.]amazonaws[.]com/cxrequirement[.]sharepointeseugwpjlmahxedgkqsbjlzfgsn

storage[.]cloud[.]google[.]com/owa9y0y90yh9y9ffy2990hfy90h[.]appspot[.]com

storage[.]cloud[.]google[.]com/sharedpoinnlinej27pj07jjppl7jp[.]appspot[.]com

storage[.]cloud[.]google[.]com/sharedpointoneqqnfcefoqi0e6cf[.]appspot[.]com

storage[.]cloud[.]google[.]com/sharedpointowauthdhljd1l0tdka0[.]appspot[.]com

storage[.]cloud[.]google[.]com/shonecov19dn1n1lnfflnbfblf1d[.]appspot[.]com

x9n44x9nvc9nn9a4l9xa4cds[.]df[.]r[.]appspot[.]com

tlook-off365-signin[.]web[.]app

d-nb[.]xyz

“You’re fired……NOT!” An ongoing and rapidly evolving spear phishing campaign, hitting companies across industry verticals, is threatening targets with false claims of employment termination due to economic impacts from the global pandemic, among numerous other coercive tactics. The goal of the attacker is to intimidate employees into clicking on a link that will ultimately lead to Bazar or Buer malware infections by way of Trickbot.

Researchers at Zscaler ThreatLabZ noted this is the first time they have seen the two malware strains together. Additionally, they have associated this attack with the Trickbot gang, known to use a combination of different malware groups and bots to conduct attacks.

While Trickbot started out as a banking trojan, known for hijacking victims’ browser sessions once logged into their banking website, it has since been repeatedly repurposed for other objectives, including the ability to spread ransomware. This particularly maniacal and disruptive aspect of Trickbot functionality makes it a top contender for possible threats to the upcoming 2020 presidential election.

With ransomware as an option, Trickbot poses a significant threat to U.S. election infrastructure. The malware’s operators have the ability to compromise a massive number of voting machines during critical times in vote counting, undermining trust in the result. That, or they may even be able to disrupt the voting process altogether by affecting entire voting locations, preventing large portions of the voter population from casting their ballots.

This could explain the recent wave of Trickbot takedown efforts. A report from KrebsonSecurity provided details of an operation that likely began on September 22nd and is conjectured to be a government counterstrike against the actors behind Trickbot. This activity, first identified by Intel471 and possibly conducted by the U.S. Cyber Command, attempted to disrupt Trickbot infrastructure by forcing the botnet’s controllers to issue bogus configurations.

These configurations swapped real controller IP addresses for the localhost address (127.0.0.1), preventing bots from calling home to receive commands. Not long after the phony configurations were sent, all known controllers appeared to have stopped properly responding to bot requests, suggesting the overall activity was a concerted, intentional effort to disrupt this pervasive botnet’s operations.

Another attempt was made on October 1st, presumably by U.S. Cyber Command, that similarly altered the controller IP addresses needed to receive commands. Compounding the effects of this effort, Microsoft also attempted disruptions of Trickbot infrastructure by obtaining a court order to disable the botnet’s IP addresses, among other actions. Most recently, Microsoft issued an update that they successfully took down 62 of the 69 Trickbot servers around the world with the remaining being unorthodox IOT devices.

However, these attempts reportedly would only have a short-term effect on Trickbot controllers since its operators use decentralized infrastructure that communicates over Tor, with blockchain-based EmerDNS as a fallback that is resistant to takedowns. Additionally, Ars Technica reports that Trickbot controllers are beginning to host their malware on other e-criminals’ servers.

Unsurprisingly, not long after the various Trickbot takedown operations occurred, Area 1 Security identified a prolific phishing campaign that intended to spread Bazar and Buer payloads via Trickbot. Worse yet, this newer stealthy malware in Trickbot gang’s arsenal of tools can be used to deploy additional malware, including ransomware.

Area 1 Security researchers found evidence that the Bazar loader dropped in this campaign will not continue with the infection if the locale of the victim’s device is in Russia, a common tactic seen with Trickbot. In fact, Cyber security researchers believe Trickbot is the handiwork of cybercriminals operating out of Russia. Since at least 2019, this group has been responsible for a surge in ransomware attacks targeting schools systems, local governments and even law enforcement agencies in the United States.

While these e-criminal groups have always been operating at some level in recent years, their activity has surged in the lead-up to the 2020 Presidential election. This suggests that entities involved in the U.S. election are prime targets for foreign adversaries, both nation-state and cybercriminal groups alike.

Lining up with the recent FBI/DNI press conference, Russian and Iranian state-sponsored groups are confirmed to have exfiltrated voter registration information. Additionally, these nations are behind separate email spoofing campaigns designed to undermine faith in the U.S. election.

At the moment, it is unclear if the phishing campaign that Area 1 Security identified is being carried out by any of these groups or if it is purposefully targeting election administrators. Regardless, state and local election administrators should be extra vigilant as they tend to be highly vulnerable to phishing attacks, as highlighted in a recent Area 1 Security phishing report.

This campaign employs a number of lures that threaten job security in order to intimidate targets into clicking on the provided URL. The phishing messages are very simple in their demand and appear to originate from persons of authority within the targeted company, as seen in Figure 1.

Figure 1. Phishing Messages That Threaten Job Security

The messages identified in this campaign are based on eliciting fear from the target audience, focusing on either employment termination or customer complaints. The current work-from-home operating model, and the resultant decrease in face-to-face contact, gives attackers the advantage by making email delivery of these types of “employment notifications” all the more believable.

Targets of this campaign could potentially believe that the post COVID shake up in their organizations is the reason they’re being let go. With many businesses closing down unusable office space, combined with an economic recession, there is enough plausibility for this wide-ranging attack to fool employees into believing that their position may be part of the now all-too-common budget cuts.

It's possible this Bazar and Buer campaign is part of the Trickbot operations that Microsoft and other partners are trying to defeat. If so, the activity Area 1 Security observed only further proves just how difficult it can be to counteract these complex operations. A litany of unique and ever-changing email accounts and IP addresses are at the threat actor's disposal. Despite the previously mentioned efforts to neutralize Trickbot controllers, the infrastructure used to support this particular campaign (if associated in any way) was hardly affected, where the attacker seems to have promptly resumed operations.

While disruption operations may have worked a decade ago, the Trickbot gang and other groups that rely on their Malware-as-a-Service (MaaS) offering are equipped with the necessary skills to continue their attacks without a hitch. Current botnets have all the professionalism of any IT company. They’re able to manage disruptions and bring back services with continuity planning, backups, automated deployment, and a dedicated workforce.

The campaign noted above centered on termination-related documents available at a provided URL. When clicked, the link directs the victim’s browser to either Google Docs or Constant Contact. By not attaching the malware as a file to the email, the attacker is able to bypass file scanning detections. Moreover, the use of common cloud-based hosting services allows the attacker to circumvent URL scanning techniques, as well as enables them to easily create new malicious links in the event that their URLs are identified as phishing pages.

The Google Docs or Constant Contact link in the email leads to a decoy preview page, as shown in Figure 2, that prompts the victim to open a list of terminated employees. The decoy also cleverly displays the often seen “If download does not start, click here”.  This link is where the malware is actually being hosted.

Figure 2. Google Doc Decoy Preview Page with Redirect Link

As seen in the figure below, after clicking on the link found in the online document, the victim is presented with a dialog box to run the file. The file is actually a malicious PE32+ executable that is designed to run on all Windows systems.

Figure 3. Gaining Run Permission

After clicking “Run”, a series of events will take place on the victim’s device that will ultimately lead to installation of the Bazar backdoor or Buer loader.

First, the PE32+ executable noted above will decrypt the payload using an RC4 cipher, a portion of which is provided in Figure 4 below. The payload happens to be none other than Trickbot, and a different RC4 key is used for each iteration of the malware.

Figure 4. RC4 decryption of Trickbot Payload

As detailed in Figure 5, Area 1 Security researchers identified the string “dave” at the end of the Trickbot payload in memory, which is consistent with prior reporting on techniques employed by Emotet and Trickbot malware developers. This string reveals the attacker’s use of a custom packer to compress and encrypt the file, making it difficult for malware analysts to reverse engineer the payload.

Figure 5. “Dave” signature

Despite this anti-reversing technique, Area 1 Security discovered the Trickbot payload attempts to further infect the victim device by decrypting and running the BazarLoader. Loaders are an essential function that allow attackers to gain a foothold in a network and enable subsequent, more persistent infection via their command and control servers. This tactic opts for stealth by initially loading as little functionality as necessary.

In this case, the BazarLoader in turn attempts to download the Bazar backdoor via a blockchain dns lookup table. This is a great tactic for attackers as it circumvents the need for traditional ISPs. Similar to bitcoin, Top Level Domains (TLDs) like .bit, .bazar, and .coin are not owned by a single authority but instead shared over peer-to-peer networks. This offers users the ability to bypass censorship and other government restrictions, but also provides a platform for attackers to conduct illicit activities that are safe from countermeasures.

As shown in Figure 6, to download the backdoor, the loader loops through eight unique IP addresses and five domains under the EmerDNS .bazar TLD.

Figure 6. Outbound Connections to Download the Bazar Backdoor

The second level domains are comprised of 12 alphabetical characters that are generated using a specific domain generation algorithm. The malware runs through the list of generated .bazar domains to find one that is still actively hosting the backdoor.

Once the backdoor is downloaded and successfully run, that attacker can carry out any number of devious acts, including remotely executing commands, exfiltrating sensitive data, and deploying other payloads. These additional payloads range anywhere from post-exploitation frameworks like CobaltStrike to ransomware like Ryuk.

In fact, Trickbot is known to deliver Ryuk ransomware to devices via BazarLoader. In one instance, after the initial Bazar infection, attackers exploited a recently disclosed vulnerability to escalate privileges and gain domain-wide ransomware infection just 5 hours after sending their phishing message. This is unfortunately just one of many possible outcomes that can result from successful infection via the phishing campaign Area 1 Security has observed.

By leveraging a number of stealthy techniques, the threat actors behind this campaign have been able to easily evade legacy vendors and cloud email providers. Linking to legitimate, cloud-based sites within the phishing messages, combined with the use of takedown- and sinkhole-resistant EmerDNS TLDs, makes this a particularly difficult campaign to detect.

Area 1 Security‘s advanced Machine Learning and Artificial Intelligence technology allow our algorithms to uncover the clever tactics seen in this campaign, enabling us to block the messages in real time versus waiting days or weeks for signature updates. Our time-zero detections lead the industry with reliable verdicts that stop phishing attempts at delivery time. This means malware like Trickbot, the Bazar backdoor, and follow-on infection with ransomware, never have the opportunity to make their way onto our customers’ devices. Our solution has many advantages over post-delivery retraction in that the user is never exposed to the attack.

Phishing Email Subject Lines:

Re: Termination List

RE: termination,

Re: my visit and call

Re: meeting of

RE: office

RE: office,

Malicious PE32+ Executable Linked to in Decoy Document:

Sha1: 895d84fc6015a9ad8d1507a99fb44350fb462c79

Sha256: a3b2528b5e31ab1b82e68247a90ddce9a1237b2994ec739beb096f71d58e3d5b

Md5: dbdb5ddd07075b5b607460ea441cea19

Sites Hosting Malicious PE32+ Executable:

hxxps://tees321[.]com/Document3-90[.]exe

hxxps://centraldispatchinc[.]com/Report10-13[.]exe

hxxps://www[.]4rentorlando[.]com/Text_Report[.]exe

Malicious Links in Phishing Messages:

hxxps://files.constantcontact.com/0d2efd83801/50f95d03-8af1-4396-ac84-d6a7f1212026.pdf

hxxps://docs[.]google[.]com/document/d/e/2PACX-1vQzFpGbLRNSIpbklM51_9P78DJbhxmMLeMzQUJxX9roupKMn3xYX1ZBEjP2Jo5_CHbzoqIdVnwPeazU/pub

hxxps://docs[.]google[.]com/document/d/e/2PACX-1vRhLU8Ar86crHTwsP7rSyStmTABnsPtQ4q3Mic9UIZN-hz06cO8fuzsiiEus9seLQHDU4T51YGcejNU/pub

hxxps://docs[.]google[.]com/document/d/e/2PACX-1vTVCHKzmdSD2wX03GTnyBToo4xvldfGqtFWZiz5bT5cTRozW4Xk5H6GER0GmscSPqnpyFtokphDl-_U/pub

hxxps://files[.]constantcontact[.]com/5e536f60101/8c5d270a-897a-4ac8-845a-86c920bf229c[.]pdf

hxxps://files[.]constantcontact[.]com/defde16c001/0aa90d3a-932f-4343-8661-22e4f6488705[.]pdf

hxxps://docs[.]google[.]com/document/d/e/2PACX-1vSlUktRROV3hU60c_n8LWFpOQBdyJj-N10g4tn14hBfmdaiRGKL9rc4vnTRYdLErwU0AHt7WwbzwU9q/pub

hxxps://docs[.]google[.]com/document/d/e/2PACX-1vRFLfuWRihaQHjGEPs8-Dm7Y3VxEFRpiUJuJmD9Vm6y3xVSSG9Vc3XxRnbyHQzIoWQ_5REbdDbkOq0s/pub

Outbound BazarLoader DNS Requests (Port 53):

95[.]174[.]65[.]241:53

195[.]16[.]195[.]195:53

192[.]71[.]245[.]208:53

176[.]126[.]70[.]119:53

151[.]80[.]222[.]79:53

94[.]16[.]114[.]254:53

193[.]183[.]98[.]66:53

51[.]254[.]25[.]115:53

Blockchain Domains:

bdfgimbfhgio[.]bazar

dcehjldeghjn[.]bazar

bdfgjlbfhgjn[.]bazar

adehklafghkn[.]bazar

ceggilcgigin[.]bazar

If you are an Azure customer, or thinking about becoming one, here are three ways we have made Cloudflare’s performance and security services work well with Azure.

We are proud to announce an application for Cloudflare Argo Tunnel within the Azure marketplace. As a quick reminder, Argo Tunnel establishes an encrypted connection between the origin and the Cloudflare edge. The small tunnel daemon establishes outbound connections to the two nearest Cloudflare PoPs,  and the origin is only accessible via the tunnel between Cloudflare and origin.

Because these are outbound connections, there is likely no need to modify firewall rules, configure DNS records, etc.  You can even go so far as to block all IPs on the origin and allow traffic only to flow through the tunnel. You can learn more here. The only prerequisite for using Argo Tunnel is to have Argo enabled on your Cloudflare zone. You can sign up a new domain here.

You can find instructions on how to configure Argo Tunnel through the Azure interface here.

Cloudflare makes SSL issuance and renewal remarkably easy, and it is included in every plan type. There are a few extra steps to getting this to work on Azure’s serverless platform, so we’ve created this guide for you to get started.

Cloudflare has created a free DNS resolver to improve DNS response times. We blogged about this last year.  A few important takeaways are: this resolver runs in all our data centers globally and thus is highly performant, is future proofed for emerging DNS protocols that enhance security (DNS over TLS/HTTPs), and minimizes DNS query information shared with intermediate resolvers.

Cloudflare does daily monitoring of this resolver to make sure it consistently performs well on the Azure platform.  Here are a few steps to take to make use of 1.1.1.1 if you are an Azure user.

Stay tuned on further Cloudflare support for Azure.

At Cloudflare, our mission is to help build a better Internet. That means making the Internet faster, safer and smarter, but also more efficient alongside our cloud partners. As such, wherever we can, we're on the lookout for ways to help save our common customers money. That got us looking into why and how much cloud customers pay for bandwidth.

If you're hosting on most cloud providers, data transfer charges, sometimes known as "bandwidth” or “egress” charges, can be an integral part of your bill. These fees cover the cost of delivering traffic from the cloud all the way to the consumer. However, if you’re using a CDN such as Cloudflare, the cost of data transfer comes in addition to the cost of content delivery.

In some cases, charging makes sense. If you're hosted in a facility in Ashburn, Virginia and someone visits your service from Sydney, Australia there are real costs to moving traffic between the two places. The cloud provider likely hands off traffic to a transit provider or uses its own global backbone to carry the traffic across the United States and then across the Pacific, potentially handing off to other transit providers along the way, until eventually handing it off to the visitor's ISP. Someone has to maintain the expensive infrastructure that hauls the traffic the 9,739 miles from Ashburn to Sydney. It makes sense for the cloud provider to charge a customer to cover the cost of that transit or their own backbone.  For example, Google Cloud and Microsoft Azure both send traffic over their highly available, secure, performant backbones of terrestrial fiber, subsea cable and more.  

For nearly all major cloud providers, traffic that is delivered to users via Cloudflare, passes across a private network interface (PNI) or private interconnection. That PNI typically occurs within the same facility through a fiber optic cable between routers for the two networks. Unlike when there's a transit provider in between, there's no middleman so neither Cloudflare nor the cloud provider bears incremental costs for transferring the data over this PNI. Cloud providers use these PNI’s to extensively interconnect with third party networks including Cloudflare’s.

Cloudflare automatically carries traffic from the user’s location to the Cloudflare data center nearest your cloud provider and then over such PNIs. Cloudflare is one of the most peered networks in the world, allowing traffic to be carried over such free interconnected links. We at Cloudflare acknowledge that specific customers with highly distributed infrastructures and bandwidth requirements can find it daunting to orchestrate workloads across multiple providers, and so not all traffic passes over such PNIs.

This got us to wonder: could we potentially create a new model and provide our mutual customers with lower costs? We started talking to the most customer-friendly cloud providers that we exchange traffic with and proposed that we look at making our highly efficient and growing interconnects further benefit our mutual customers.

So today — on the eve of Cloudflare's 8th birthday — we're excited to announce the Bandwidth Alliance: a group of forward-thinking cloud and networking companies that are committed to providing the best and most cost-efficient experience for our mutual customers.

Separately from our newly announced Bandwidth Alliance, we have been working with Google Cloud over the past three years as part of their CDN Interconnect program. That program, which Cloudflare has been a part of since its launch, discounts data transfer fees for mutual Cloudflare/Google Cloud customers by up to 75%. We have worked with Google Cloud to ensure that all our mutual customers now automatically get the discount on their bills without having to do anything. Thus, Google Cloud provides a reduced data transfer fee that will help customers save money in comparison to the standard data transfer fee and this is enabled by the high degree of settlement free peering with Cloudflare.

Microsoft Azure is working on its own CDN interconnect program. Cloudflare is excited to be part of this program and pass on the benefits to our mutual customers.

Thus, Google, and soon Microsoft Azure, provide a highly discounted data transfer fee that will help our mutual customers do more for less.

With the Bandwidth Alliance we wanted to go even further. First, beyond Google Cloud and Microsoft Azure, we worked with several cloud and hosting providers including IBM Cloud to create a group of companies with whom you could get reduced data transfer fees. Second, we implemented a new smart routing system (to learn more read this technical blog post) to ensure that all our customers’ traffic on participating cloud providers could qualify for this offer. And, finally, we agreed with many other cloud providers to not just discount, but to waive data transfer fees entirely for mutual customers.

We are proud to announce the following cloud providers and hosting companies who have joined together with us in committing to reduced or zero bandwidth rates for mutual customers.  

Below is the list of companies from whom you’ll be able to get discounted or eliminated bandwidth fees as a Cloudflare customer. Click on each partner to learn more.

This is an open alliance of like-minded companies and we welcome other members to join whether they be cloud providers, hosting companies, or CDNs. If you are a cloud provider or networking company and aren't listed, we encourage you to email cloudflare-bandwidth-alliance@cloudflare.com with a request for inclusion.

The Bandwidth Alliance is providing this benefit to all Cloudflare customers at no additional cost. If you're hosted with a member of the Bandwidth Alliance, your data transfer fees should decrease when the required technical and accounting systems are activated by the member. Some of those systems are live today. Some are planning to go live over the months ahead.

To give you some sense, we estimate that current Cloudflare customers could save nearly $50 million in data transfer fees per year from hosting with a Bandwidth Alliance member as these programs come online.

Happy eighth birthday to all the Internet from the Bandwidth Alliance and us at Cloudflare. Enjoy your lower data transfer fees!

Here is what the founding members and customers say:

“At JPMorgan Chase, portability of workloads is essential as we drive a hybrid, multi-cloud strategy. Minimizing the friction of secure app and data mobility between clouds enables companies like ours to be more efficient, dynamic, and truly harness the full potential of cloud technologies,” said Larry Feinsmith, Managing Director and Head of Technology Strategy, Innovation and Partnerships.

“At Automattic we believe in making the web a better place, and part of that is enabling our customers to build and scale their web properties with freedom. We look forward to partnering with the Bandwidth Alliance to further this mission in allowing a freer flow of data on the internet,” said James Grierson, Global Partnerships, Automattic.

“We are excited to partner with Cloudflare to make our high-quality cloud storage more affordable and available than ever. For more than 10 years Backblaze has delivered the most cost effective cloud storage on the planet and being a founding member of the Bandwidth Alliance reinforces our continuing commitment of being transparent and trustworthy to our customers,” said Gleb Budman, CEO and co-founder, Backblaze.

“One of the reasons businesses use DigitalOcean is the significant amounts of bandwidth that we include with our compute and storage products at no additional cost,” said Shiven Ramji, VP, Product, DigitalOcean. “Our partnership with Cloudflare will improve on this by making it even more predictable for businesses to manage their cloud costs, and gain the benefits of the DigitalOcean Cloud and Cloudflare’s CDN.”

“IBM Cloud enables our clients to achieve greater business value by accelerating their journey to cloud to help them build, modernize and migrate their applications,” said Faiyaz Shahpurwala, general manager, IBM Cloud. "To further support our clients, we will expand our collaboration with Cloudflare through the Bandwidth Alliance to waive data transfer fees between IBM and Cloudflare servers for customers using the IBM Cloud Internet Services enterprise plan. This will help our clients enhance security and performance from the cloud to the edge without data transfer fees."

“At Linode, we’re focused on service, value, and simplifying the way developers consume our services. Our partnership with the Bandwidth Alliance will further our goal of providing affordable cloud computing services through predictable, pay as you go pricing," said Thomas Asaro, Chief Operations Officer, Linode.

"At Packet, we're driven to make infrastructure a competitive advantage for our customers," said Ihab Tarazi, CTO at Packet. "Partnering with Cloudflare to wipe out bandwidth transfer fees between our networks was a no-brainer, as both Cloudflare and Packet share a common goal: to build a better, stronger and faster Internet."

"Scaleway, since 2005, provides ultra easy, high performance infrastructure and services to allow our customers to build and scale appliances. We were the first hosting company to offer unlimited and unmetered connectivity, it’s a part of our DNA. We are excited to join the Bandwidth Alliance to further our mission to meet our customers demand to scale on the cloud." Said Arnaud de Bermingham, CEO, Scaleway.

“Vapor IO is delivering the next generation internet by enabling high performance applications at the edge of the wireless network. Our unique edge colocation business allows CDNs, cloud providers and web scale companies to place IT equipment in close proximity to cell towers where they can leverage software-defined interconnections to cross connect or peer with virtually any carrier, private data center, or cloud provider. We are excited to be part of the Bandwidth Alliance to accelerate edge deployments by not charging our mutual customers egress fees.” said  Matthew Trifiro, CMO, Vapor IO.

Subscribe to the blog for daily updates on all our Birthday Week announcements.