Precautions when applying whitelisting to cloudfront.net

Amazon CloudFront is a Content Delivery Network (CDN) service legitimately used by thousands of companies to deliver web content quickly and at scale. It operates under the main domain cloudfront.net, using unique subdomains such as d123abc456def.cloudfront.net for each distribution.

However, CloudFront is also frequently used by malicious actors to host and distribute:

  • Malware

  • Phishing campaigns

  • Post-exploitation tool payloads such as Cobalt Strike

This is possible due to how easily an attacker can configure their own CloudFront distribution to hide malicious infrastructure behind a legitimate domain.

Do not whitelist *.cloudfront.net

Including an exception like *.cloudfront.net in an RPZ policy is extremely risky. This type of rule will allow access to all subdomains of CloudFront, including those actively used in ongoing malware campaigns.

This is equivalent to completely disabling RPZ protection against one of the most common delivery vectors used by modern threats.

Real-world malware detection cases in CloudFront

Below are listed cloudfront.net subdomains used in recent malicious campaigns. Each entry includes a direct link to its analysis in VirusTotal, allowing the reader to verify the evidence themselves.

Date

Subdomain

Evidence in VirusTotal

2025-02-12

d2j09jsarr75l2.cloudfront.net

SocGholish (TA569)

2025-06-19

dxzdq7un7c7hs.cloudfront.net

ThreatFox C2

2025-06-19

d3hg0xriyu9bjh.cloudfront.net

ThreatFox C2

2025-06-27

dyydej4wei7fq.cloudfront.net

APT OneClik Campaign

2025-06-27

dzxwmpi8xepml.cloudfront.net

APT OneClik Campaign

2025-07-13

d2kb7e4l5uwdes.cloudfront.net

Cobalt Strike

2025-07-13

d3ayy3ulepm5xz.cloudfront.net

Cobalt Strike

2025-07-13

dm2sy2pi4jasa.cloudfront.net

Cobalt Strike

2025-07-13

d11vxzkgntd3fu.cloudfront.net

Cobalt Strike

2025-07-15

d3ser9acyt7cdp.cloudfront.net

CrypticSilverFish

Operational recommendations

  1. Do not apply whitelisting rules to ``*.cloudfront.net``. Only allow specific subdomains after manual or reputation-based verification.

  2. Correlate subdomains with intelligence sources, such as VirusTotal, ThreatFox, or internal threat feeds.

  3. Monitor DNS resolution logs for new subdomains under cloudfront.net for analysis and possible inclusion in the RPZ.

  4. Educate the security team about the risks of applying generic exceptions to domains of major providers such as Amazon, Google, Microsoft, etc.

Warning

A single poorly applied exception (such as *.cloudfront.net) can completely undermine the effectiveness of an RPZ system, allowing malicious campaigns to operate under seemingly legitimate domains.