The email looked like any other issue of a Broadway ticketing newsletter. Formatted HTML, editorial blurbs about upcoming productions, links to show pages, a YouTube recommendation, a GQ feature, a Variety article. The sender was a recognized ticketing brand. SPF passed. DKIM passed. DMARC passed under a reject policy. The relay path, from a legitimate marketing network through Google's MX infrastructure, was clean.
More than 30 links. All destinations recognizable. Most recipients would open, scan, and move on.
One link was different.
Buried among the clean destinations, a single URL pointed to first-looks[.]pages[.]dev/huzzah?AID=EML004000013. The domain was a Cloudflare Pages subdomain. The path and query string were campaign-tracking parameters. The destination: a form collecting email address, first and last name, zip code, and phone number. No corporate branding on the form. No clear value proposition for why a user would submit their personal information. No verification of identity.
The element carrying the malicious link was flagged in the email's link structure. Every other link in the same newsletter passed reputation checks cleanly. Telecharge.com links, YouTube, Facebook, Variety, GQ. All legitimate. The Cloudflare Pages link was the only exception.
This is a needle-in-a-haystack phishing pattern. The attacker bets that URL scanning tools will evaluate each link in isolation, that a single suspicious URL among 30+ clean ones will be harder to catch, and that a recipient who visually scans the email will not inspect every link's actual destination. All three bets are reasonable given how most security tools and users behave.
Cloudflare Pages offers free static site hosting under the pages.dev domain, a high-reputation domain operated by one of the largest CDN providers in the world. Threat actors register free accounts, upload minimal HTML phishing pages, and host them under [subdomain][.]pages[.]dev paths. Because pages.dev has a strong aggregate reputation, URL reputation scanners that block by domain rather than by full URL path frequently miss these payloads.
The specific subdomain first-looks[.]pages[.]dev shows no legitimate business association. The AID parameter in the URL suggests an affiliate or campaign tracking system, meaning the attacker may be operating a coordinated PII collection campaign across multiple newsletters or email channels, with each delivery carrying a unique tracking identifier.
Cloudflare does accept abuse reports and terminates malicious Pages accounts, but the turnaround time can span hours to days. A short-lived campaign that runs for 24 to 48 hours, collects PII from a batch of newsletter recipients, and then abandons the subdomain faces minimal friction from platform takedowns.
This technique maps to MITRE ATT&CK T1583.006 (Acquire Infrastructure: Web Services), where attackers use legitimate third-party platforms to host attack infrastructure rather than operating their own servers.
The email did not originate from an attacker-controlled domain. The sender was email@reply[.]telecharge[.]com, the Return-Path was a standard VERP bounce address in the legitimate newsletter service's infrastructure, and the relay was dv9-79[.]n-email[.]net (141[.]193[.]209[.]79) delivering to Google MX.
This is an important distinction. The Telecharge newsletter infrastructure was not compromised. The attacker either gained access to inject a URL into a specific newsletter dispatch, used an affiliate or partner slot in the mailing system, or exploited a dynamic content block that pulls from an external source. The precise injection vector was not determinable from the email headers alone.
What is determinable: the newsletter's authentication credentials are clean and legitimate. The malicious link rode a trusted sending reputation to the inbox, bypassing filters that would have blocked the same Cloudflare Pages URL arriving from an unknown or low-reputation sender. Credential harvesting attacks increasingly exploit this gap between sender authentication and link-level content integrity.
Themis, the IRONSCALES Adaptive AI engine, flagged the specific Cloudflare Pages link as malicious within the delivery window. Detection at this level requires per-link analysis of destination behavior, not aggregate sender reputation. The newsletter infrastructure was clean. The sending domain was legitimate. The authentication chain was valid. None of those signals identified the threat.
What identified the threat was evaluating the specific URL destination against known phishing infrastructure patterns, including pages.dev subdomains serving form collection pages with no recognizable commercial identity. That link-level behavioral assessment is what separates detection from a clean-bill-of-health based on sender reputation.
See Your Risk: Calculate how many threats your SEG is missing
Newsletter-embedded malicious links are a growing attack surface precisely because they exploit trusted sender authentication. Defenders should consider:
Link-time scanning that re-evaluates URLs when clicked, not just at delivery. Delivery-time scanning catches many threats but cannot anticipate URLs that are benign at scan time and malicious at click time, or vice versa.
Monitoring for pages.dev, sites.google.com, glitch.me, and similar high-reputation hosting platforms as link destinations in inbound email. These platforms are legitimate, and most links to them are benign, but they are also the preferred hosting infrastructure for short-lived phishing campaigns precisely because of their reputation.
Reviewing newsletter subscriptions for unfamiliar CTAs requesting personal information entry. Any form collecting name, email, phone, and location data without a clear, verifiable business purpose warrants scrutiny regardless of the sending brand.
| Type | Indicator | Context |
|---|---|---|
| Malicious URL | first-looks[.]pages[.]dev/huzzah?AID=EML004000013 | Cloudflare Pages PII harvester; element_id 608412692 |
| Hosting Platform | pages[.]dev | Cloudflare Pages free hosting; subdomain "first-looks" |
| Sending Domain | reply[.]telecharge[.]com | Legitimate Telecharge newsletter subdomain; not attacker-controlled |
| Relay IP | 141[.]193[.]209[.]79 | dv9-79.n-email.net (legitimate newsletter relay) |
| Delivery Path | Newsletter service to Google MX | Fully authenticated relay chain; attack in link payload only |
| Technique | ID | Relevance |
|---|---|---|
| Phishing: Spearphishing Link | T1566.002 | Malicious Cloudflare Pages link embedded in authenticated newsletter |
| Acquire Infrastructure: Web Services | T1583.006 | Cloudflare Pages used as free PII harvesting host |
| Phishing for Information | T1598.003 | Form collecting name, email, zip, phone for PII exfiltration without credential entry |
| Attack | What happened |
|---|---|
| The Subdomain That Fused Two Trusted Brands Into One Convincing Lie | Attackers fused two real brand names into a single subdomain, routed the message through Zix infrastructure to inherit enterprise authentication. |
| The Insurance Claim That Passed Every Check (Progressive's Own Infrastructure Sent It) | A credential theft attempt sent through Progressive Insurance's own Salesforce Marketing Cloud infrastructure. |
| The .Gov Email That Passed Every Check and Stored Its Payload on Azure Government Cloud | A W-9 request from a county government office passed SPF, DKIM, and DMARC with a perfect compauth score. |
| When the Sender Domain Is Also the Phishing Kit Host: Dual-Purpose Domain Compromise | An attacker compromised a legitimate manufacturing company domain and used it two ways at once: as the authenticated sending address and as the host for... |
| An Employment Verification Request That Passed DMARC REJECT, Then Sent Replies to Someone Else | A credential harvesting email impersonated InformData, a real background check company, passing SPF, DKIM, and DMARC at REJECT enforcement via SendGrid. |