This phishing campaign employs a React-based single-page application (SPA) hosted on a Cloudflare Workers domain to impersonate a Dropbox Transfer file sharing portal. The initial phishing email pretends to notify recipients about files shared via WeTransfer, embedding the victim's email address in the URL query string. The phishing page's HTML is minimal, with the interface dynamically rendered by a bundled JavaScript file (main.90eaa1b0.js) containing React runtime and application logic. This SPA approach is uncommon in phishing kits, which typically use static HTML, making analysis and detection more challenging. Upon user interaction, the page prompts for email and password credentials. Instead of sending stolen data to attacker-controlled infrastructure, the credentials are exfiltrated through EmailJS, a legitimate email service API that allows client-side JavaScript to send emails. The phishing code uses EmailJS service ID, template ID, and a public API key to send the harvested credentials directly via email, bypassing traditional network detection methods. Additionally, the phishing script queries the Geoapify IP geolocation API to gather victim geographic metadata, which is sent along with credentials to attackers. After credential submission, victims are redirected to the legitimate Dropbox website to reduce suspicion. The campaign uses a Cloudflare Workers domain, a platform increasingly abused for short-lived malicious infrastructure due to its ease of deployment and legitimacy. The lure quality is low, with suspicious elements such as the sender's own email address and Cyrillic-encoded URL parameters, possibly indicating Russian-speaking threat actors. Overall, the campaign demonstrates a technically innovative phishing approach by combining modern web development frameworks with legitimate third-party services to evade detection and exfiltrate credentials.

Organizations worldwide face risks from credential theft leading to unauthorized access to corporate and personal accounts, potentially resulting in data breaches, financial fraud, and lateral movement within networks. The use of React-based SPAs complicates detection by security tools relying on static HTML analysis, increasing the likelihood of successful phishing. Exfiltration via EmailJS, a legitimate service, can bypass network-based detection and blocking, allowing attackers to receive stolen credentials without exposing malicious infrastructure. The collection of geographic metadata enables attackers to tailor follow-up attacks or prioritize high-value targets. Although the lure quality is low, less vigilant users may still fall victim, especially in environments with limited phishing awareness training. The redirection to legitimate Dropbox after credential submission reduces suspicion and may delay incident response. This threat can impact sectors heavily reliant on cloud file sharing and collaboration tools, including finance, legal, healthcare, and technology industries. The campaign's use of short-lived Cloudflare Workers domains also complicates takedown efforts, prolonging exposure.

Deploy advanced phishing detection solutions that analyze dynamic JavaScript execution and client-side rendered content rather than relying solely on static HTML signatures. Implement email security gateways with heuristics and machine learning models capable of detecting suspicious use of legitimate third-party services like EmailJS for data exfiltration. Enforce multi-factor authentication (MFA) on all accounts, especially those accessing cloud file sharing platforms, to mitigate credential theft impact. Conduct regular phishing awareness training emphasizing the identification of suspicious URLs, unusual sender addresses, and unexpected file sharing notifications. Monitor DNS and network traffic for anomalous requests to Cloudflare Workers domains and unusual API calls to services like EmailJS and Geoapify. Utilize endpoint detection and response (EDR) tools to detect suspicious browser behaviors, such as unexpected JavaScript execution or network requests to uncommon services. Establish rapid incident response procedures to investigate and contain phishing incidents, including domain takedown requests and blocking of identified malicious infrastructure. Consider deploying browser isolation or script-blocking technologies to limit execution of untrusted JavaScript in email links or web pages.