Advice - How to notify Cloudflare of abuse of the Turnstile service?


We are trying to shut down a phishing threat actor that is operating out of Russia and abusing the Cloudflare Turnstile service. They use it to check if the click to their website is coming from a human, or in fact security software checking the link. If it determines you are security software, then it redirects you to If you are a human, you get a well-crafted fake Office 365 login page to harvest your credentials.

Unfortunately, we can’t report via the Cloudflare website’s abuse form, as we need to input the turnstile URL as part of the evidence and I quote from the error generated - Filing an abuse report regarding Cloudflare as a domain is disallowed as it would not be associated with allegedly abusive activity.

Does anyone have advice on how to get hold of a security contact at Cloudflare, so we can try to resolve this?

The site you want to reference is

And, since the bad actor is spoofing a micrsoft page, you may want to report that to microsoft as well.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.