Flask phishing kit: Targeted credential theft using open-source technology

Threat actors are using Flask, a popular Python framework, to build evasive phishing kits that bypass traditional defenses and exploit trusted platforms.

What happened

Cybercriminals have adapted Flask, an open-source Python web framework, to create a versatile phishing kit capable of credential theft at scale. Instead of relying on zero-days or expensive infrastructure, attackers built a multi-stage phishing process using freely available tools. The campaign impersonated DocuSign notifications, directed users through verification code challenges, and then presented customized login pages hosted on reputable cloud platforms.

Credentials entered by victims were exfiltrated via SMTP through a compromised business email account, making the data transfer appear legitimate and reducing detection likelihood.

Going deeper

The phishing flow began with an email lure directing recipients to a “Review Document” button. Victims were shown a verification code screen, used to build trust and block automated scanners, before reaching a fake webmail login portal. The portal dynamically branded itself with the target’s logo and email address, pulled in real time via the Kickfire API.

Once credentials were entered, they were transmitted to attackers through a compromised organization’s email account. The victim was then redirected to a decoy success page to maintain the illusion of authenticity.

The phishing kit incorporated multiple evasion layers, including:

• Verification code challenges and rate limits
• Dynamic branding with Kickfire API integration
• Comprehensive bot-user agent filtering to block crawlers and security scanners
• Session management to prevent direct URL access

This approach allowed the campaign to bypass URL blocklists, avoid automated tools, and appear convincingly authentic to human targets.

In the know

Academic research shows that attackers are now using AI to automate the creation and deployment of phishing infrastructure in ways similar to Flask. As the study explains, generative AI can be prompted to “develop advanced phishing attacks and automate their large-scale deployment,” including cloning targeted websites, “integrating code for stealing credentials,” and registering domains that resemble legitimate ones.

The researchers note that the “initial assessment of the automatically generated phishing kits highlights their rapid generation and deployment process as well as the close resemblance of the resulting pages to the target website,” showing how these AI-assisted efforts produce pages that look and behave like real services.

Like the Flask campaign, AI-assisted phishing kits combine dynamic content, authentic branding, and automation to evade detection and deceive victims, reinforcing how easily modern tools can lower the technical bar for sophisticated credential theft.

The big picture

Phishing campaigns built on legitimate frameworks and hosted in the cloud are outpacing traditional defenses. Dynamic branding, CAPTCHA gates, and compromised infrastructure make it nearly impossible for static rules and signature-based tools to keep up.

Paubox recommends protecting against these threats with Inbound Email Security. Powered by generative AI, it analyzes context, such as sender history, tone, and relationship patterns, to detect abnormal communication. Even when attackers mimic trusted services like DocuSign or send emails from compromised accounts, Inbound Security can identify and block the threats before they land in inboxes.

FAQs

Why did attackers use Flask for phishing?

Flask’s lightweight architecture, templating system, and integration with Python made it easy to build dynamic, branded phishing pages with minimal custom code.

How did the phishing kit avoid detection?

It combined verification code challenges, bot filtering, and dynamic branding to block scanners and make the phishing pages appear legitimate to human users.

Why was credential exfiltration done via SMTP?

Using a compromised business email account allowed the stolen data to pass through trusted channels, bypassing filters that rely on sender reputation.

Why can’t traditional tools block these attacks?

Legacy solutions depend on static blocklists and known-bad patterns, but this kit used legitimate cloud platforms and dynamic content that avoided those checks.

How can organizations defend against this type of phishing?

Generative AI-powered tools like Paubox’s Inbound Email Security analyze context and intent, flagging suspicious emails even when they come from compromised accounts or mimic trusted services.