GhostFrame phishing kit uses hidden iframes to bypass email security

Researchers say the new kit hides credential theft behind benign-looking web pages.

What happened

Security researchers have reported the discovery of a phishing kit called GhostFrame that has been used in large-scale campaigns since at least September 2025. According to Cyber Security News, the kit relies on a simple HTML page that appears harmless while loading the actual phishing content through an invisible iframe hosted on attacker-controlled subdomains. Researchers observed the kit being used in more than one million phishing attempts, targeting users with emails themed around document sharing and password resets.

Going deeper

GhostFrame operates through a two-stage process. Victims receive emails with subjects designed to prompt quick action, such as contract notifications or account alerts. Clicking the link opens a clean-looking webpage that contains no obvious malicious elements. The phishing form is delivered through an iframe that pulls content from a unique subdomain created for each target, which limits reuse indicators that security tools rely on. The kit includes features that block browser inspection, disable right-click menus, and interfere with keyboard shortcuts. Researchers also noted that the phishing form is embedded in an image streaming function, allowing it to avoid scanners that look for traditional login fields. Backup iframes are used when scripts are blocked, and content can be swapped without changing the main page.

What was said

Researchers say GhostFrame reflects a shift toward minimal surface phishing pages that defer malicious behavior to external components. They warned that the use of rotating subdomains and concealed forms reduces the effectiveness of signature-based detection. The researchers advised organizations to combine email filtering with browser-level protections, iframe inspection, and user reporting processes. They also stressed the role of employee awareness, noting that visual inspection alone is no longer reliable for identifying phishing pages.

The big picture

GhostFrame shows how phishing has quietly changed shape. What used to be obvious fake pages and bad links has turned into something much harder to spot. Lionel Litty, CISO and chief security architect for Menlo Security, told MSSP Alert that “trying to determine if a page is malicious by looking at a single request's URL, or response payload, as network security devices do, is extremely challenging.” Attackers have learned how those systems work and now avoid them by “obfuscating their code and splitting functionality between multiple components fetched separately from rotating domains.”

That shift makes life harder for defenders. Spotting the threat is no longer just about catching a bad email or blocking a single link. Litty explained that security teams now “need to know what happened in a user’s browser and what the user saw after the browser fetched and reconstructed all the content during a phishing attack.” Without that visibility, the most dangerous parts of the attack can slip by unnoticed.

FAQs

Why are invisible iframes effective for phishing?

They allow attackers to keep the visible page clean while loading malicious content from external sources that can change frequently.

How do rotating subdomains help attackers?

Unique subdomains reduce reuse patterns, which makes it harder for security tools to block campaigns based on known indicators.

Can traditional email filters detect GhostFrame attacks?

Some may flag the emails, but the landing pages are harder to detect because they lack obvious phishing elements.

What part does the browser play in these attacks?

Browsers render the iframe content without alerting users, especially when inspection tools are blocked or disabled by scripts.

What steps can organizations take to reduce risk?

They can monitor iframe behavior, restrict external content loading, enforce browser updates, and encourage users to report suspicious pages even when they appear normal.