Kaspersky has discovered a new phishing technique that exploits Tencent EdgeOne Pages, a legitimate AI-powered platform for building and hosting web applications, to generate corporate credential-theft campaigns.

Over the past 30 days, Kaspersky’s experts detected more than 8,000 phishing emails using this tactic, with messages in English, Korean and Russian targeting employees across the industrial sector, sales and government. Because the phishing pages are hosted on EdgeOne’s legitimate cloud infrastructure and trusted domains, they appear established and secure to many protective solutions, complicating detection.

How the attack works

Victims receive an email purporting to be from a “corporate email support team,” warning that login credentials will expire within 48 hours and that failure to update them may disrupt email access. Clicking the embedded link leads to a simple credential-harvesting page requesting a name, email address and password. Once submitted, the data is sent to a server controlled by the attackers.

The EdgeOne Pages service is marketed as a platform for quickly building and deploying AI-generated web applications, which scammers are exploiting to publish convincing phishing pages within minutes and with virtually no web development skills.

AI lowering the barrier for attackers

We are seeing a continuation of the trend in which attackers use AI and no-code platforms as part of their phishing infrastructure. We’ve previously observed a similar scheme using the Bubble platform, and here we have yet another example. While the communication used in these phishing attacks is typical and has been used before multiple times, the attack technique itself significantly lowers the barrier to entry for attackers and accelerates the creation of phishing resources. Previously this required at least basic web development skills, but now an infrastructure for fraudulent emails can be created in minutes, said Roman Dedenok, Anti-Spam Expert at Kaspersky.

Kaspersky noted this follows similar attacks it previously identified abusing Google Tasks and Bubble, an AI-powered app builder, to harvest corporate credentials.

How organisations can stay protected

• Educate employees that corporate credentials should only be entered on verified, official company platforms
• Deploy robust security solutions to block access to known and suspicious phishing destinations
• Implement advanced anti-phishing technologies at the email gateway to reduce exposure to malicious messages
• Stay updated on evolving attacker techniques and integrate threat intelligence into security operations