Blog & News
Lessons from a sophisticated phishing attack

The Points

  • Cloudflare had a near miss with a sophisticated phishing attack.
  • Their cybersecurity awareness training and company culture were critical in identifying the attack.
  • Multi-factor authentication saved the day.

Sophisticated phishing attack

Cloudflare, a popular content delivery network (CDN), recently announced that they were targeted in a sophisticated phishing scheme. Fortunately, through a variety of preventative measures, they were able to stop it. Like any near miss, this is a great learning opportunity. Here are some of my takeaways that other organizations might find helpful.

Employee cybersecurity awareness training & company culture

The IT industry is reckoning with the fact that traditional cybersecurity defenses can only go so far. Firewalls, antivirus software, and vulnerability scanning have made it more difficult for hackers to brute force their way into a company’s network, but there’s an easier way in. Employees have access to software, resources, and data on your network and are susceptible to phishing emails that play on our emotions, good intentions, and trust. Many of the recent data breaches, ransomware, and other attacks start with a simple phishing email to a company employee.

The only way to prevent this kind of attack is through cybersecurity awareness training for all employees. This isn’t something that senior leadership can skip out on, in fact, they are targeted more often than other employees. Frequent cybersecurity training teaches and reminds employees of red flags to look for and what to do if you are uncertain if an email is safe.

In order for employees to feel safe reporting potential phishing emails or other cybersecurity threats, it is important to foster a company culture void of blame or ridicule for being overly cautious. Cloudflare revealed that over 90% of the suspicious activity reported to their incident response team was benign. Instaed of trying to cut down on the overreporting, they embrased it which potentially helped them identify and stop this targeted attack.

Multi-factor authentication

Phishing emails often link to a website that asks for your credentials. These website can look very convincing, indeed some are clones of actual websites that the company uses, only when you type in your credentials they go straight to the hackers. One way to protect against this kind of credential theft is to use multi-factor authentication (MFA) or 2-step verification.

By now, most users are familiar with multi-factor authentication; companies including Google, Apple, and most banks are embracing this relatively simple way to keep accounts safe. Unfortunately, some companies have been slow to adopt multi-factor authentication internally, opening themselves up to attacks. Company email, VPN, and any single sign on (SSO) or identity providers (IDP) should absolutely be secured with multi-factor authentication.

In the case of the Cloudflare attack, the hackers knew that they used MFA on their Okta SSO account (the target of the attack). After entering their username and password, employees were asked for their MFA code, which was sent in real-time to the hackers who were waiting to log into the real site using the stolen information. Since MFA codes are usually only valid for 20 or 30 seconds this kind of coordinated attack has been less common.

Fortunately, Cloudflare was not using traditional MFA codes via text or an authentication app. They used hardware USB keys, which add even more security. While relatively inexpensive and accessible, these keys add a layer of complication that most employees are not accustomed to.


Employee cybersecurity awareness training is just essential to any cybersecurity strategy. Spruce Point Group offers several resources for cybersecurity training, including in-person and online training.

Multi-factor authentication is critical for all internet-accessible accounts since it prevents hackers from exploiting company resources even if they have the correct credentials to log in. Multi-factor authentication is already built into Google Workspace (used for business email) and implementing it is easy. Since many other credentials can be reset from your email account, that’s a good place to start.