TL;DR A legitimate Telecharge newsletter passed every authentication check and contained more than 30 clean links to YouTube, Broadway show pages, and editorial outlets. One link, invisible in the content layout, pointed to a Cloudflare Pages subdomain hosting a form collecting name, email, zip code, and phone number. The attack exploited trusted-sender reputation and the visual noise of a link-dense marketing email to hide a single malicious destination.
Severity: Medium Credential Harvesting Trusted Sender Exploitation Pii Collection MITRE: {'id': 'T1566.002', 'name': 'Phishing: Spearphishing Link'} MITRE: {'id': 'T1598.003', 'name': 'Phishing for Information: Spearphishing Link'} MITRE: {'id': 'T1583.006', 'name': 'Acquire Infrastructure: Web Services'}
The email looked like any other issue of a Broadway ticketing newsletter. Formatted HTML, editorial blurbs about upcoming productions, links to show pages, a YouTube recommendation, a GQ feature, a Variety article. The sender was a recognized ticketing brand. SPF passed. DKIM passed. DMARC passed under a reject policy. The relay path, from a legitimate marketing network through Google's MX infrastructure, was clean.
More than 30 links. All destinations recognizable. Most recipients would open, scan, and move on.
One link was different.
The One Link That Mattered
Buried among the clean destinations, a single URL pointed to first-looks[.]pages[.]dev/huzzah?AID=EML004000013. The domain was a Cloudflare Pages subdomain. The path and query string were campaign-tracking parameters. The destination: a form collecting email address, first and last name, zip code, and phone number. No corporate branding on the form. No clear value proposition for why a user would submit their personal information. No verification of identity.
The element carrying the malicious link was flagged in the email's link structure. Every other link in the same newsletter passed reputation checks cleanly. Telecharge.com links, YouTube, Facebook, Variety, GQ. All legitimate. The Cloudflare Pages link was the only exception.
This is a needle-in-a-haystack phishing pattern. The attacker bets that URL scanning tools will evaluate each link in isolation, that a single suspicious URL among 30+ clean ones will be harder to catch, and that a recipient who visually scans the email will not inspect every link's actual destination. All three bets are reasonable given how most security tools and users behave.
Why Cloudflare Pages Is a Recurring Attack Surface
Cloudflare Pages offers free static site hosting under the pages.dev domain, a high-reputation domain operated by one of the largest CDN providers in the world. Threat actors register free accounts, upload minimal HTML phishing pages, and host them under [subdomain][.]pages[.]dev paths. Because pages.dev has a strong aggregate reputation, URL reputation scanners that block by domain rather than by full URL path frequently miss these payloads.
The specific subdomain first-looks[.]pages[.]dev shows no legitimate business association. The AID parameter in the URL suggests an affiliate or campaign tracking system, meaning the attacker may be operating a coordinated PII collection campaign across multiple newsletters or email channels, with each delivery carrying a unique tracking identifier.
Cloudflare does accept abuse reports and terminates malicious Pages accounts, but the turnaround time can span hours to days. A short-lived campaign that runs for 24 to 48 hours, collects PII from a batch of newsletter recipients, and then abandons the subdomain faces minimal friction from platform takedowns.
This technique maps to MITRE ATT&CK T1583.006 (Acquire Infrastructure: Web Services), where attackers use legitimate third-party platforms to host attack infrastructure rather than operating their own servers.
The Delivery Path: A Legitimate Newsletter as Cover
The email did not originate from an attacker-controlled domain. The sender was email@reply[.]telecharge[.]com, the Return-Path was a standard VERP bounce address in the legitimate newsletter service's infrastructure, and the relay was dv9-79[.]n-email[.]net (141[.]193[.]209[.]79) delivering to Google MX.
This is an important distinction. The Telecharge newsletter infrastructure was not compromised. The attacker either gained access to inject a URL into a specific newsletter dispatch, used an affiliate or partner slot in the mailing system, or exploited a dynamic content block that pulls from an external source. The precise injection vector was not determinable from the email headers alone.
What is determinable: the newsletter's authentication credentials are clean and legitimate. The malicious link rode a trusted sending reputation to the inbox, bypassing filters that would have blocked the same Cloudflare Pages URL arriving from an unknown or low-reputation sender. Credential harvesting attacks increasingly exploit this gap between sender authentication and link-level content integrity.
Detection at the Link Level
Themis, the IRONSCALES Adaptive AI engine, flagged the specific Cloudflare Pages link as malicious within the delivery window. Detection at this level requires per-link analysis of destination behavior, not aggregate sender reputation. The newsletter infrastructure was clean. The sending domain was legitimate. The authentication chain was valid. None of those signals identified the threat.
What identified the threat was evaluating the specific URL destination against known phishing infrastructure patterns, including pages.dev subdomains serving form collection pages with no recognizable commercial identity. That link-level behavioral assessment is what separates detection from a clean-bill-of-health based on sender reputation.
See Your Risk: Calculate how many threats your SEG is missing
Practical Notes for Defenders
Newsletter-embedded malicious links are a growing attack surface precisely because they exploit trusted sender authentication. Defenders should consider:
Link-time scanning that re-evaluates URLs when clicked, not just at delivery. Delivery-time scanning catches many threats but cannot anticipate URLs that are benign at scan time and malicious at click time, or vice versa.
Monitoring for pages.dev, sites.google.com, glitch.me, and similar high-reputation hosting platforms as link destinations in inbound email. These platforms are legitimate, and most links to them are benign, but they are also the preferred hosting infrastructure for short-lived phishing campaigns precisely because of their reputation.
Reviewing newsletter subscriptions for unfamiliar CTAs requesting personal information entry. Any form collecting name, email, phone, and location data without a clear, verifiable business purpose warrants scrutiny regardless of the sending brand.
Indicators of Compromise
| Type | Indicator | Context |
|---|
| Malicious URL | first-looks[.]pages[.]dev/huzzah?AID=EML004000013 | Cloudflare Pages PII harvester; element_id 608412692 |
| Hosting Platform | pages[.]dev | Cloudflare Pages free hosting; subdomain "first-looks" |
| Sending Domain | reply[.]telecharge[.]com | Legitimate Telecharge newsletter subdomain; not attacker-controlled |
| Relay IP | 141[.]193[.]209[.]79 | dv9-79.n-email.net (legitimate newsletter relay) |
| Delivery Path | Newsletter service to Google MX | Fully authenticated relay chain; attack in link payload only |
MITRE ATT&CK Mapping
| Technique | ID | Relevance |
|---|
| Phishing: Spearphishing Link | T1566.002 | Malicious Cloudflare Pages link embedded in authenticated newsletter |
| Acquire Infrastructure: Web Services | T1583.006 | Cloudflare Pages used as free PII harvesting host |
| Phishing for Information | T1598.003 | Form collecting name, email, zip, phone for PII exfiltration without credential entry |
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
/Misc%20Icons/icon-nav-encryption.svg)
