Phishing scams use AI-powered platforms to evade security

New research shows attackers are using AI-assisted platforms like Vercel and Netlify to create phishing pages that bypass security and trick users into giving up login credentials.

What happened

Since January 2025, Cyber Press has observed a sharp increase in phishing campaigns using AI-powered web development platforms, specifically Vercel.app, Netlify.app, and Lovable.app, to host fake CAPTCHA challenge pages. These deceptive pages serve as the first step in phishing attacks that steal login credentials for platforms like Microsoft 365, Google Workspace, and company VPNs.

Phishing emails with urgent subject lines such as “Password Reset Required” or “USPS Change of Address Notification” lead users to what appears to be a routine CAPTCHA verification page. After solving the CAPTCHA, users are silently redirected to phishing sites designed to steal credentials.

Going deeper

The use of CAPTCHAs adds a layer of credibility to the phishing flow, lowering user suspicion and preventing detection by automated scanners. Security crawlers typically index only the challenge page and not the redirect, making these attacks harder to spot through traditional filters.

Trend Micro reported the following distribution across platforms:

• Vercel.app: 52 unique phishing sites
• Lovable.app: 43 sites
• Netlify.app: 3 sites

The activity peaked from February to April, dropped slightly, then surged again in August, mirroring trends in remote work adoption.

What was said

The report advises that organizations rethink their security controls. Static blacklists and basic inspections are ineffective against the dynamic behavior of these phishing campaigns. Instead, companies should adopt:

• Advanced email gateways with link sandboxing
• Web proxies that detect anomalies in trusted domains
• Real-time monitoring of AI-hosted subdomains for early takedowns
•  

User training is equally important. Employees should be taught to verify domain names and be cautious of unexpected CAPTCHA prompts. Encouraging the use of password managers can also prevent credential entry on fake sites.

The big picture

AI-powered platforms such as Vercel, Netlify, and Lovable are giving attackers a low-cost way to host phishing campaigns that look authentic and bypass automated scanners. Fake CAPTCHA gates add credibility while preventing crawlers from reaching the real phishing page, leaving traditional filters blind to the attack.

Paubox recommends Inbound Email Security as a more effective defense. Generative AI examines context, tone, and relationship patterns within email messages to detect anomalies that static link checks and blocklists overlook. Suspicious messages are stopped before they reach inboxes, protecting users from credential theft schemes that exploit trusted hosting platforms.

FAQs

Why are AI platforms like Vercel and Netlify used in phishing campaigns?

These platforms offer free hosting, fast deployment, and high-trust domain names—making them ideal for attackers looking to quickly spin up convincing phishing sites.

How does the fake CAPTCHA technique work?

The CAPTCHA lowers suspicion and blocks basic scanners. Once completed, users are redirected to a hidden phishing site designed to steal login credentials.

What tools can detect these phishing attempts?

Security solutions that include advanced link analysis, sandboxing, and behavior-based detection are more effective than static filters or blacklists.

What’s the role of user behavior in preventing these attacks?

Employees should be trained to recognize phishing patterns, double-check URLs, and avoid entering credentials on unfamiliar or suspicious sites, even if a CAPTCHA appears legitimate.

Can password managers help in these scenarios?

Yes. Password managers typically won’t autofill credentials on fake domains, providing a useful red flag to users who might otherwise fall for phishing attempts.