CLOUDFLARE’S anti-bot and anti‑verification features are described as a double‑edged sword in a SecuritySnack report dated 11 March 2026, highlighting how legitimate defence tools can also shield malicious sites from proactive detection. The Microsoft 365 credential harvesting campaign examined uses multiple anti‑detection techniques, including CloudFlare human verification, aggressive IP and User‑Agent filtering, and redirection through multiple sites.
The site code checks visitors’ IP via https://api.ipify[.]org/?format=json against a hardcoded blocklist and even replaces pages with a fake “404 Not Found” message for certain security scanners or bots like Googlebot or Bingbot. If the visitor passes these checks, an obfuscated script redirects them to a credential harvesting URL built from an encoded VM in the payload, and the framework can switch the destination to a legitimate domain such as Google[.]com to thwart static analysis.
The report also notes a Cloudflare Turnstile sitekey (0x4AAAAAACG6TJhrsuZdpjsN) and identifies several IOCs, including securedsnmail[.]com and suitetosecured[.]com.