This campaign leverages the FlowerStorm phishing kit to target Microsoft credentials by hosting fake authentication pages on compromised domains that use Cloudflare's CDN services. The attackers exploit legitimate cloud infrastructure to evade detection and deliver phishing content. Credential harvesting occurs on attacker-controlled servers, with incidental contact to genuine Microsoft services due to normal browser behavior. The campaign is identified by several malicious domains under the continuousperformance.de domain. It is categorized as a phishing campaign (T1566) with related techniques including credential harvesting and use of cloud services for delivery.

Successful phishing attempts can lead to the compromise of Microsoft user credentials, potentially exposing victims' personal information and access to Microsoft services. The use of legitimate Cloudflare infrastructure may increase the likelihood of victim trust and reduce detection by security controls. However, this campaign does not exploit software vulnerabilities but relies on social engineering to harvest credentials.

No official patch or fix is applicable as this is a phishing campaign. Defenders should block and monitor the identified malicious domains associated with this campaign. User education on recognizing phishing attempts and verifying URLs before entering credentials is recommended. Security teams should ensure multi-factor authentication (MFA) is enabled on Microsoft accounts to reduce the impact of credential compromise. Since the campaign abuses Cloudflare services, monitoring for suspicious use of legitimate CDN services is advised.