Attackers use Vercel's AI tool to build convincing phishing pages

Low-skilled threat actors are generating fake corporate login pages using a generative AI platform that does the design, hosting, and infrastructure work automatically.

What happened

Researchers have identified a surge in phishing campaigns using v0.dev, a generative AI web development tool provided by Vercel, to build convincing fake login pages impersonating well-known brands. According to Infosecurity Magazine, attackers are using the tool to generate fully functional credential-harvesting pages from simple text prompts, with Vercel providing both the AI generation capability and the hosting infrastructure. Researchers observed campaigns impersonating Microsoft, Spotify, and job listings from major brands. The platform's pro tier costs as little as $20 per month and includes the ability to quickly recreate sites after takedown, making it a low-cost, easily refreshed phishing operation. Researchers noted that the same capabilities previously requiring a purchased dark web phishing kit are now accessible through a single interface requiring only natural language input.

Going deeper

Vercel's v0 tool generates pages that researchers described as "virtually flawless" in their impersonation of legitimate login portals. For attackers, the platform eliminates several steps that previously required technical skill: building the phishing page, acquiring hosting infrastructure, and maintaining the site after takedown. Because Vercel is a recognized and widely trusted developer platform, links hosted on its infrastructure carry a degree of implicit legitimacy that generic attacker-controlled domains do not. Researchers found campaigns impersonating Microsoft login pages, Spotify account portals, and fake job postings for brands including Adidas, Ferrari, Louis Vuitton, and Nike. Vercel also integrates with services including Telegram, AWS, Stripe, and xAI, giving operators additional options for credential collection and automation. Researchers noted that while Vercel abuse has grown significantly, other generative AI platforms, including DeepSite and BlackBox, are being used for similar purposes, though without the same level of branding accuracy, integrated hosting, and tool connectivity.

What was said

Researchers stated in their analysis cited by Infosecurity Magazine that "this AI tool is the driving force behind the malicious sign-in pages created by attackers. With just a few text prompts, v0.dev can create a fully functioning malicious site that completely resembles real-life brands." Researchers also noted that "Vercel's Gen AI combines all of the components of a phishing kit purchased on the dark web into a simple interface requiring just a few natural language text prompts, which can be done by just one minimally skilled threat actor."

In the know

The abuse of Vercel's platform for phishing predates this wave of campaigns. According to The Hacker News, Okta's threat intelligence team documented attackers using v0.dev in July 2025 to generate fake sign-in pages impersonating multiple brands, including an unnamed Okta customer, with Vercel blocking access to the identified sites following responsible disclosure. The current campaigns documented by researchers represent a continuation and expansion of that activity rather than a new phenomenon. Vercel itself was also the subject of a separate security breach in April 2026 in which attackers gained unauthorized access to internal systems through a compromised third-party AI tool, as reported by BleepingComputer.

The big picture

The democratization of phishing page creation through generative AI removes the last meaningful technical barrier to running a convincing credential theft campaign. A healthcare employee who encounters a pixel-perfect Microsoft 365 login page hosted on a recognized developer platform has no visual signal that distinguishes it from a legitimate page. KnowBe4's April 2026 phishing trends report found that 86% of phishing campaigns now involve AI in some form, and Microsoft's Q1 2026 email threat data found AI-generated lures are 4.5 times more effective than manually crafted ones. Tools like v0.dev accelerate that trend by making professional-grade phishing page creation available to anyone willing to spend $20 per month, with no coding knowledge required.

FAQs

What makes AI-generated phishing pages harder to detect than traditional ones?

Traditional phishing pages often contain visual inconsistencies, broken layouts, or obvious design differences from the legitimate brand. AI-generated pages are built to specification from the legitimate brand's visual identity, producing results that are indistinguishable on screen from the real login portal.

Why does Vercel's hosting make phishing campaigns more resilient?

When a phishing page is taken down, an attacker using their own infrastructure must rebuild and re-host from scratch. On Vercel, a new page can be generated and deployed within minutes using the same prompts, with a new URL. The low cost and fast rebuild cycle make takedown a far less effective deterrent than it would be against a traditional phishing operation.

How does generative AI change who can run a phishing campaign?

Previously, a convincing phishing operation required either technical skills to build the page or money to buy a pre-built kit on the dark web. Generative AI tools with natural language interfaces require neither. Anyone who can describe what they want in text can produce a functional phishing page, expanding the pool of potential attackers significantly.

What signs can help identify a phishing page built with AI tools?

The page itself may offer no visual tells. Indicators to check include the URL domain, which will not match the legitimate organization, and the email delivering the link, where the sender domain often contains inconsistencies. Hovering over links before clicking and verifying any login request through a known-good URL rather than an email link remains the most reliable detection behavior.

Should organizations block Vercel domains at the network level?

Blocking Vercel domains entirely would disrupt legitimate developer and business workflows that depend on the platform. A more targeted approach involves configuring email security tools to flag messages containing Vercel-hosted links for additional review, and training staff to treat any unexpected login request arriving via email as requiring independent verification, regardless of how legitimate the destination page appears.