{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cloudflare/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["cloudflare","tunneling","command and control","proxy"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike","Cloudflare"],"content_html":"\u003cp\u003eCloudflare Tunnel (cloudflared) is a legitimate tool for exposing local services through Cloudflare\u0026rsquo;s edge. This tool can be abused by adversaries to create quick or named tunnels for command and control, data exfiltration, or ingress tool transfer while evading direct connection blocking. The adversary may utilize quick tunnels (e.g. \u003ccode\u003etunnel --url http://127.0.0.1:80\u003c/code\u003e) or named tunnels to proxy command and control traffic. This activity began to be tracked around March 2026. Defenders should be aware of suspicious execution of cloudflared, especially from unusual locations, to detect potential misuse of this tool for malicious purposes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker downloads the \u003ccode\u003ecloudflared.exe\u003c/code\u003e executable to the compromised system, potentially staging it in a temporary directory.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003ecloudflared.exe\u003c/code\u003e with the \u003ccode\u003etunnel\u003c/code\u003e command and arguments such as \u003ccode\u003e--url http://127.0.0.1:80\u003c/code\u003e to create a quick tunnel, forwarding local traffic through Cloudflare\u0026rsquo;s infrastructure.\u003c/li\u003e\n\u003cli\u003eThe attacker configures a local service, such as a reverse proxy or command and control server, to listen on the specified localhost port (e.g., 80).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the Cloudflare tunnel to establish an encrypted connection to the local service, masking the origin of the traffic.\u003c/li\u003e\n\u003cli\u003eThe attacker proxies command and control traffic through the Cloudflare tunnel, communicating with the compromised system without directly exposing its IP address.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker exfiltrates sensitive data through the Cloudflare tunnel, routing it through Cloudflare\u0026rsquo;s edge network.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence by establishing scheduled tasks or autorun registry keys to ensure the Cloudflare tunnel is re-established upon system reboot.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows adversaries to proxy command and control traffic, exfiltrate data, or facilitate ingress tool transfer while evading direct connection blocking. This can lead to data breaches, system compromise, and prolonged unauthorized access. While the total number of victims is unknown, organizations using Windows systems are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for execution of \u003ccode\u003ecloudflared.exe\u003c/code\u003e with the \u003ccode\u003etunnel\u003c/code\u003e argument to identify potential misuse of Cloudflare Tunnel (see rule: \u0026ldquo;Potential Protocol Tunneling via Cloudflared\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eCorrelate network connection logs with process execution events to identify outbound connections to Cloudflare IPs or \u003ccode\u003etrycloudflare.com\u003c/code\u003e-style hostnames originating from \u003ccode\u003ecloudflared.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement a process allowlist to restrict execution of \u003ccode\u003ecloudflared.exe\u003c/code\u003e to authorized locations (e.g., \u003ccode\u003eC:\\\\Program Files\\\\Cloudflare\\\\\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor Windows Security Event Logs for suspicious logon or execution from the same context as \u003ccode\u003ecloudflared.exe\u003c/code\u003e processes.\u003c/li\u003e\n\u003cli\u003eBlock the domain \u003ccode\u003etrycloudflare.com\u003c/code\u003e at the DNS resolver to prevent connections to attacker-controlled Cloudflare tunnels (see IOCs).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-05T10:00:00Z","date_published":"2026-05-05T10:00:00Z","id":"/briefs/2026-05-cloudflared-tunnel/","summary":"Adversaries may abuse Cloudflare Tunnel (cloudflared) on Windows systems to proxy command and control traffic or exfiltrate data through Cloudflare's edge, evading direct connection blocking.","title":"Potential Protocol Tunneling via Cloudflared","url":"https://feed.craftedsignal.io/briefs/2026-05-cloudflared-tunnel/"}],"language":"en","title":"CraftedSignal Threat Feed — Cloudflare","version":"https://jsonfeed.org/version/1.1"}