Skip to content
.ca
sign in
4 minhigh

Steal Smarter, Not Harder: Malicious use of Vercel for Credential Phishing

Threat actors are increasingly leveraging Vercel's GenAI capabilities, specifically v0.dev, to rapidly generate and host highly convincing credential phishing pages. By combining AI-generated frontends with Telegram Bot API integrations for real-time credential exfiltration, attackers can deploy resilient, low-effort phishing infrastructure on legitimate cloud services that evades traditional detection mechanisms.

Conf:highAnalyzed:2026-05-06Google

Authors: Micah DeHarty

ActorsFake Job Posting CampaignsMicrosoft Landing Page SpoofingSpotify Spoofing
PhishingGenAICredential HarvestingTelegramVercel

Source:Cofense

IOCs · 2
  • domain
    v0[.]devVercel's GenAI tool abused by attackers to generate phishing templates via text prompts.
  • domain
    vercel[.]appLegitimate Vercel hosting domain frequently abused by threat actors to host GenAI-generated phishing pages.

Detection / HunterGoogle

What Happened

Cybercriminals are using a legitimate web development tool called Vercel, which features Artificial Intelligence, to quickly build fake login websites. These fake sites look exactly like real ones from brands such as Microsoft, Adidas, and Spotify, and are used to steal usernames and passwords. This matters because the AI makes the fake sites look so perfect that traditional advice like "look for spelling mistakes" no longer works. Organizations should train employees to look for other signs of phishing, verify website addresses carefully, and report any suspicious links.

Key Takeaways

  • Threat actors are abusing Vercel's GenAI tool, v0.dev, to rapidly generate highly realistic phishing pages via simple text prompts.
  • Vercel's cloud hosting allows attackers to easily deploy and redeploy phishing sites, bypassing traditional infrastructure setup and evading domain reputation blocks.
  • Attackers are integrating the Telegram Bot API with Vercel-hosted pages to exfiltrate stolen credentials in real-time.
  • Commonly spoofed brands include Microsoft, Spotify, and various apparel/luxury brands (Nike, Adidas) using fake job interview lures.
  • The use of GenAI eliminates traditional phishing indicators like poor grammar and spelling, making visual identification by end-users much more difficult.

Affected Systems

  • Web Browsers
  • Email Clients
  • End Users

Attack Chain

Attackers use Vercel's v0.dev GenAI tool to generate realistic phishing pages spoofing well-known brands via simple text prompts. The generated pages are hosted on Vercel's cloud infrastructure, providing resilience against takedowns. Lures are distributed via email, often masquerading as job interviews or standard login requests. When victims enter their credentials, integrated Telegram bots exfiltrate the stolen data directly to the attackers in real-time.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules or queries are provided in the article.

Detection Engineering Assessment

EDR Visibility: None — This is a web-based phishing attack; EDR on the endpoint will not see the server-side generation or network traffic unless intercepting browser telemetry. Network Visibility: Medium — Network sensors can see traffic to vercel.app, but because it is a legitimate service, distinguishing malicious from benign traffic requires SSL inspection and deep URL/content analysis. Detection Difficulty: Hard — Vercel is a legitimate, widely used service, and the AI-generated pages lack traditional phishing kit artifacts, making signature-based detection ineffective.

Required Log Sources

  • Web Proxy Logs
  • DNS Logs
  • Email Gateway Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for unusual spikes in email traffic containing links to vercel.app subdomains, especially from external senders.Email Gateway LogsInitial AccessHigh
Monitor for web traffic to vercel.app immediately following clicks on links in emails with subject lines related to job interviews or urgent logins.Web Proxy Logs, Email Gateway LogsExecutionMedium

Control Gaps

  • Email filters relying on poor grammar or spelling
  • Domain reputation blocks (since vercel.app is a legitimate domain)

Key Behavioral Indicators

  • Emails containing vercel.app links combined with HR/Job or Login lures
  • Telegram API calls originating from Vercel-hosted web applications

False Positive Assessment

  • High

Recommendations

Immediate Mitigation

  • Block known malicious vercel.app subdomains identified in phishing campaigns.
  • Report identified malicious Vercel sites directly to Vercel for takedown.

Infrastructure Hardening

  • Implement strict email filtering rules for vercel.app links originating from unknown or external senders.
  • Use web isolation or advanced URL rewriting for cloud-hosted app domains.

User Protection

  • Deploy phishing-resistant MFA (e.g., FIDO2 keys) to neutralize credential harvesting.

Security Awareness

  • Update phishing awareness training to emphasize that perfect grammar and branding do not guarantee a site is legitimate.
  • Train users to verify the URL domain, even if the page looks identical to Microsoft, Spotify, or other known brands.

MITRE ATT&CK Mapping

  • T1566.002 - Phishing: Spearphishing Link
  • T1583.001 - Acquire Infrastructure: Domains
  • T1583.006 - Acquire Infrastructure: Web Services
  • T1056.002 - Input Capture: GUI Input Capture
  • T1102.002 - Web Service: Bidirectional Communication

Related