"This AI tool is the driving force behind the malicious sign-in pages created by attackers," Cofense warned in a report published on 6 May.
Vercel’s v0[.]dev platform and the tools it provides
Cofense identified v0[.]dev — a generative AI tool provided by web application development specialist Vercel — as central to a growing number of phishing campaigns. The vendor described v0[.]dev as capable of producing “fully functioning malicious” sites that closely mimic real-life brands after only a few natural-language prompts. Cofense noted that Vercel also provides hosting, which removes the need for separate phishing infrastructure and makes it straightforward for attackers to recreate content if a page is taken down.
Cofense’s observations: brands, formats and examples
According to Cofense, researchers have observed campaigns built with Vercel Gen AI that impersonate Microsoft landing pages, Spotify emails and fake job postings for Adidas, Ferrari, Louis Vuitton and Nike. The report states the pages produced by the tool are “virtually flawless,” a characteristic that makes standard visual inspection less useful as a defense.
Why minimally skilled threat actors are turning to Vercel
Cofense highlighted several reasons low-skilled operators are adopting platforms like Vercel. The company said the tools are “remarkably simple to use”: users can test Vercel’s Gen AI models for free and then purchase “tokens” to build phishing pages. The vendor also pointed out that Vercel’s pro tier “offers most features for a minimum cost of $20 per month.”
Beyond cost and ease of use, Cofense argued the Gen AI model “adapts with the user’s input, creating better web pages with each attempt.” Combined with cloud hosting, that adaptability makes creating and tearing down malicious content “much easier,” the report said. Cofense summarized the effect bluntly: “Vercel’s Gen AI combines all of the components of a phishing kit purchased on the dark web into a simple interface requiring just a few natural language text prompts which can be done by just one minimally skilled threat actor.”
Integrations that smooth the attacker workflow: Telegram, AWS, Stripe and xAI
The report calls out specific integrations that increase the platform’s utility for attackers. Cofense said integration with Telegram, AWS, Stripe and xAI provides “useful options for would-be threat actors,” enabling a smoother chain from site creation to hosting, payment handling or communications. While Cofense cautioned that other legitimate platforms — named in the report as DeepSite and BlackBox — are also being used by cybercriminals, it said these alternatives do not provide the same level of branding, hosting and integration as Vercel.
Practical signals defenders can still use, and takedown pathways
Because the pages themselves may be nearly indistinguishable from legitimate sites, Cofense urged security teams to push users to check other indicators. The report recommended hovering over a display name to reveal the sender’s domain, noting that unusual sender domains are a common sign of phishing. Cofense also flagged the typical social-engineering patterns — campaigns that create a sense of urgency to elicit a response — as a remaining, observable signal.
On remediation, Cofense urged organizations to report malicious sites created in Vercel directly to the firm for takedown.
For organizations confronting this trend, the facts in Cofense’s report point to two hard realities: the barrier to entry for producing convincing phishing pages has fallen, and attackers can couple automated page generation with cloud hosting and third-party integrations to build resilient, repeatable campaigns. Cofense’s disclosures — including brand examples, technical enablers, pricing and the suggestion to report malicious content to Vercel — form a narrow but concrete playbook for defenders and incident responders to follow.
