How this new cloudflare phishing technique is becoming problematic
A new phishing technique is exploiting Cloudflare by hosting malicious content on subdomains while keeping the root domain inactive. This allows attackers to evade detection, bypass abuse reports, and quickly rotate infrastructure to stay online.
Introduction
Cloudflare has become increasingly popular among phishing operators in recent years, with critics arguing that its response to abuse and takedown requests has been inconsistent.
A particularly problematic technique has emerged that takes advantage of how domains and subdomains are handled, allowing phishing content to remain active while avoiding effective detection and takedown.
In this article, I’ll break down exactly how this method works using a real-world example. Please note that phishing links may be referenced—exercise caution and do not visit them directly.
How the Technique Works
At a high level, the method is simple:
A domain is registered (either directly through Cloudflare or another registrar)
The root domain (A record) is left inactive or pointed to a dead IP (e.g.
0.0.0.0)Phishing content is hosted entirely on a subdomain
This separation is key to how the technique avoids detection.
Real-World Example
These are the exact steps to produce the results, and here's the real world example
Domain: gamingvote.com
Subdomain: runescapeclassic.gamingvote.com
Archived phishing page (use caution): https://archive.is/ammQU
In this case, gamingvote.com is being used to host a RuneScape phishing campaign.
Visiting the root domain (gamingvote.com) shows no active site—it appears offline or non-functional.
However, the phishing content is fully operational on the subdomain.
Why This Is a Problem
This setup creates a significant gap in abuse handling:
When the domain is reported, reviewers may check only the root domain
Since the root domain appears inactive, the report may be dismissed or deprioritized
Meanwhile, the phishing content remains live on the subdomain
Additionally:
If a subdomain is flagged by services like Google Safe Browsing, it can be deleted and replaced almost instantly
This allows attackers to continuously rotate subdomains while keeping the main domain intact
The result is a low-effort, highly persistent phishing setup that can evade traditional reporting and takedown workflows.
Conclusion
This technique highlights a structural weakness in how phishing infrastructure is detected and handled at scale. By separating the root domain from the malicious subdomain, attackers are able to exploit gaps in verification workflows and keep phishing content online for longer than expected.
The barrier to entry is extremely low, the setup is fast, and the ability to rotate subdomains makes this approach both resilient and difficult to disrupt. As a result, it is quickly becoming a preferred method among phishing operators.
Addressing this issue requires a shift in how abuse detection and response are handled:
Full domain inspection: Abuse reviews should include enumeration and inspection of active subdomains, not just the root domain
Automated subdomain monitoring: Security providers need better visibility into rapidly created and rotated subdomains
Faster response cycles: Delays in abuse handling allow attackers to continuously pivot and remain active
Stronger enforcement at the DNS/proxy layer: Providers should implement stricter controls when clear patterns of abuse are identified
Without these changes, this technique will continue to scale and remain effective against current detection and takedown processes.