A Tale of Two Phishes: The Twilio and Cloudflare Attacks

This guest blog was contributed by Richard Melick, Director of Threat Reporting, Zimperium

As details emerge surrounding the spear phishing attacks against Twilio and Cloudflare, it remains clear how enterprises must continuously evolve their access security policies to stand up against sophisticated attackers. Despite being carried out by the same malicious actor, these two attacks paint very different pictures, as one organization fell victim while the other did not.

Unlike Twilio, Cloudflare’s use of physical FIDO2-compliant security keys prevented any compromised credentials from being used to access data systems. In the span of one minute, over 100 Cloudflare employees received similar text social engineering messages, citing the need to click a link to take action. When prompted to log in, the employees supplied their credentials to the attackers, who were unable to use them due to the increased security procedures around access. The Cloudflare Security team received reports of the attempted attacks and were able to analyze the threat to their systems and work with outside services for takedowns of the threat to their employees and data. Within 45 minutes of the attack, all compromised employee credentials were reset.

The stories of Twilio and Cloudflare are very different, but both paint a bleak picture of the modern reality of enterprise security infrastructure and the inclusion of advanced mobile security systems. The keys to the proverbial kingdoms in both of these situations are mobile endpoints far outside the traditional security protections of enterprises. So, what can enterprises learn from both attacks? Security training only goes so far, phishing is OS-agnostic, and mobile is just one component of cyber attacks.

Cloudflare’s saving grace in this attack was their reliance on physical security keys for employee access, but this layer of security is not adopted universally across enterprises. These days, many enterprises have moved from physical keys to multi-factor authentication (MFA) services that rely on smartphones and apps. But the devices are still left unprotected in more instances than not, and security teams lack critical visibility into the threats targeting the mobile endpoints as part of larger attack chains. Whether as part of zero-trust plays or advanced security insights, the mobile devices used by employees to access any layer of enterprise data are increasingly under attack by malicious actors.

From identity verification, communication tools, and even critical data access, enterprises increasingly rely on their employees’ access to mobile endpoints to be productive in the modern distributed workforce. And each mobile device, whether BYOD or corporate-owned, increases the enterprise attack surface beyond what many security teams are able to monitor and respond to. Mobile device management is no longer enough and is unable to detect the advanced attacks used today against employees.

Unlike Twilio, Cloudflare was prepared AND lucky. But both still had employee devices fall victim to similar attacks. This does not need to be the reality for enterprises. With advanced mobile threat defense capabilities, organizations have the ability to secure against even the most advanced attacks on the device while also providing critical data to security teams to stay ahead of increasingly organized cyber attacks. From phishing to network threats, malicious applications to compromised devices, it’s critical for enterprises to acknowledge that the mobile attack surface is the largest unprotected vector to their data and access.


###