Threat Actors Leverage Vercel’s AI Tools to Mass‑Produce Realistic Phishing Sites

HomeCyber Security News Threat Actors Leverage Vercel’s AI Tools to Mass‑Produce Realistic Phishing Sites By Tushar Subhra Dutta May 12, 2026 A new and growing wave of phishing attacks is making credential theft easier than ever before. Threat actors are now using Vercel, a legitimate AI-powered web development platform, to build convincing fake login pages that closely mirror real websites. The ease and low cost of this approach has opened the door for a broader range of attackers to carry out highly effective phishing campaigns. Vercel offers a GenAI tool called v0.dev that generates fully functional web pages from simple text prompts. An attacker can type something as basic as “create a Microsoft sign-in page with official logos and colors,” and the tool will produce a working replica within seconds. This means someone with little technical background can now launch a phishing campaign that looks nearly identical to a real corporate login page. Researchers at Cofense, a cybersecurity firm specializing in phishing defense, tracked a sharp rise in Vercel-based phishing campaigns since 2022. Analysts noted the platform has been used across attacks of varying skill levels and complexity. The data shows that Vercel abuse continued climbing well into 2025 and shows no signs of slowing down. What makes this threat particularly dangerous is how effortlessly it replaces traditional phishing infrastructure. In the past, threat actors had to set up their own hosting servers, buy phishing kits from dark web marketplaces, and manage technical back-end systems. Vercel eliminates all of that by handling hosting, deployment, and page generation in one place. The implications extend beyond individual users. Organizations of all sizes are at risk because attackers are spoofing brands that employees interact with daily, including Microsoft, Spotify, and popular job platforms. Vercel Enables Mass Phishing Vercel’s GenAI tool introduces a dangerous level of automation for phishing. With each prompt submitted, the AI produces a slightly different output, meaning threat actors can continuously generate new page versions without writing new prompts every time. If a site gets taken down, they simply generate a fresh one. The platform also integrates with Telegram through its Bot API, which allows attackers to receive real-time alerts whenever a victim submits credentials. The Telegram bot monitors the Vercel-hosted page and sends stolen login details directly to the attacker’s account. This combination turns what used to require multiple tools and technical expertise into a near fully automated operation. Cofense analysts documented specific campaigns where attackers posed as hiring managers for brands including Adidas, Nike, Ferrari, and Louis Vuitton. These phishing emails mimicked job offers and interview invitations, leading victims to fake career pages and then to fraudulent Facebook or Google login portals. All of these pages were built using Vercel’s GenAI product. Fake Adidas Careers page created using Vercel from ATR 403225 (Source – Cofense) In one documented case, attackers created a Spotify login page so convincing it replicated the exact logos, color scheme, and layout of the real site. Example of a Spotify spoofing web page created using Vercel (Source – Cofense) Once victims submitted their credentials, the page forwarded the stolen information to the attacker and redirected users to a second page requesting credit card details. Protecting Against AI-Generated Phishing Security awareness training must evolve alongside this threat. Because AI tools like v0.dev rarely produce the typos and formatting errors users have traditionally been taught to watch for, old advice about spotting “obvious mistakes” in phishing emails no longer holds up. Users and organizations should now focus on verifying the actual URL in the browser bar before entering any login credentials. Even a pixel-perfect replica of a legitimate website cannot change the web address it operates from. Checking for subtle variations in domain names remains one of the most reliable ways to catch a fake site. Organizations can also report malicious Vercel-hosted sites directly to Vercel for takedowns. Security teams should monitor for vercel.app subdomains in inbound email links, as this is a common indicator of a hosted phishing page. Staying current with updated threat intelligence and keeping staff trained on emerging attack patterns is now essential. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Vidar Malware Targets Browser Credentials, Cookies, Crypto Wallets, and System Data Ransomware and Data Extortion Groups Intensify Targeting of Aviation and Aerospace Sector Zoom Rooms and Workplace Vulnerabilities Allow Attackers to Escalate Privileges Critical PHP SOAP Extension Vulnerabilities Enables Remote Code Execution Attacks 28 Fake Call History Apps on Google Play with 7.3M+ Downloads Trick Users to Steal Payments Latest News Cyber Security News New Stealthy Vidar Stealer Campaign Bypass EDR and Steal Credentials Cyber Security News SAP Patches Critical SQL injection Vulnerability in SAP S/4HANA Cyber Security News Hackers Hijack Microsoft Teams Accounts to Deliver ModeloRAT Cyber Security News North Korean Hackers Weaponize Git Hooks to Deploy Cross-Platform Malware AI Critical “Cline” AI Agent Vulnerability Enables RCE Attacks