Flask Phishing Kit: Targeted Credential Theft Using Open-Source Technology

While security teams scan for complex malware and zero-day exploits, cybercriminals are building targeted phishing attacks with the same tools sitting in your developers' GitHub repositories. Our threat team identified a campaign that utilized a Flask-based phishing kit, leveraging the popular Python web framework used by developers worldwide to build the backbone of an evasive credential theft operation.

The threat actors didn't need cutting-edge exploits or expensive infrastructure. Instead, they took freely available, open-source technology and built a versatile phishing kit with minimal technical effort. This kit enables them to launch attacks that dynamically brand themselves for each target, screen out security scanners with verification code challenges and bot detection, and exfiltrate stolen credentials through a compromised business email account.

The result? A campaign with a phishing page so convincing and well-disguised that it appears completely genuine.

The phishing attack begins with an email impersonating a Docusign document sharing notification. While the email itself is not included in the phishing kit, it functions as the lure that entices the target to click the malicious link embedded within the button labeled “Review Document.”

Upon clicking “Review Document,” the user is first presented with a verification code page that asks them to verify a four-digit code. This page serves two purposes: it builds trust with the user and provides a basic barrier against simple automated security tools.

Once the correct code is entered, the user is redirected to a login page designed to look like a secure webmail portal. The page is hosted on a reputable cloud platform that is commonly used for business deployments.

The email address is pre-populated, and the phishing page is customized with the target organization's branding and logo, dynamically pulled via the Kickfire API to increase realism.

When the target submits their password, the credentials are sent via SMTP to the attacker’s email address. In this case, the credentials are sent via a specific compromised account belonging to an unrelated organization, giving the stolen data a valid delivery path and making the transfer appear routine and trustworthy. After submission, the user is redirected to a decoy success page to maintain the illusion of authenticity and reduce suspicion.

This multi-stage process, complete with verification codes, dynamic branding, session flow control, and multiple redirects, is designed to fool both humans and security tools.

This campaign demonstrates how any cybercriminal can turn open-source technology into phishing tools with limited custom code required.

At the heart of the attack is Flask—an open-source Python web framework designed to help developers rapidly build web applications. Flask's native features made it perfect for malicious repurposing: its built-in templating system enabled the dynamic branding that personalizes each target’s experience, its lightweight architecture supported quick deployment on a UI generation tool as a serverless application with Python runtime, and its Python foundation allowed seamless integration with credential-harvesting and SMTP functions.

Using Flask, the threat actors built a functioning phishing kit that includes:

• Verification code challenges and comprehensive bot user-agent filtering to evade automated analysis

• Dynamic branding via the Kickfire API for logo fetching

• Cleanly separated HTML templates for each stage of the phishing process

• Rate limiting (six attempts per day/hour) to avoid detection

• Session management preventing direct URL access to phishing pages

What makes this attack remarkable is the multi-layered evasion approach. The application includes a comprehensive list of bot user agents—including search engine crawlers like Googlebot and Bingbot, social media bots like Twitterbot, and security scanners like AhrefsBot—that automatically receive HTTP 403 Forbidden errors when they attempt to access the phishing pages. This prevents security tools from crawling and analyzing the content while allowing humans through.

This attack proves that cybercriminals no longer need to develop custom malware or purchase expensive infrastructure. They can simply build applications using popular development frameworks and launch campaigns leveraging trusted cloud platforms. Compounding the threat, this phishing kit remains publicly accessible on GitHub at the time of publication, allowing other cybercriminals to download, modify, and enhance it—a process now made even simpler with AI-powered chatbots.

This “industrialization” of phishing means we'll likely see more campaigns that are simultaneously easier to launch and harder to detect. This trend is turning cybercrime from a specialized skill into a commodity nearly anyone can deploy, especially as AI democratizes advanced coding capabilities.

Traditional security tools rely on blocking known-bad URLs, scanning for suspicious attachments, and detecting threats based on static indicators. But this campaign shows how attackers can bypass those defenses using techniques that exploit trust and avoid known-bad patterns.

The phishing email itself does not contain malware or obviously malicious links. It impersonates Docusign and links to a page hosted on a legitimate design platform that is rarely blocked due to its widespread business usage. Additionally, the phishing site uses multiple evasion techniques. A verification code challenge provides a basic barrier, while sophisticated bot user-agent filtering blocks known security scanners and crawlers from accessing the malicious content.

Further complicating detection, the phishing kit personalizes each login page using the target’s email address and the organization’s logo, pulled dynamically via the Kickfire API. This dynamic generation of branded content defeats static template matching and URL-based blocklists.

Finally, credential exfiltration happens via SMTP. And not just any SMTP—the credentials are sent from a legitimate business email account, likely compromised in a previous attack. This allows the stolen data to bypass outbound filters that rely on sender reputation or known-bad domains.

Together, these techniques demonstrate why rule-based detection is increasingly ineffective against multi-stage phishing attacks—and why a behavioral approach is needed instead.

This attack shows how easily threat actors can abuse trusted services and open-source tools to launch evasive, convincing phishing campaigns. When cybercriminals can weaponize the same tools your developers use every day, traditional security approaches aren't just inadequate—they're obsolete.

Blocking these attacks requires more than reputation-based filtering and URL blocklists. A behavioral AI-based email security solution analyzes the context around an email—who sent it, who received it, what it’s asking the user to do, and whether those patterns deviate from normal communication behavior. It can flag suspicious intent in emails that impersonate brands like Docusign and detect anomalous behaviors, like links to recently registered or high-risk cloud-hosted apps.

The phishing kit described here didn’t use any zero-days or advanced malware. But it didn’t need to. By cleverly combining legitimate services and non-malicious code, the attacker created an effective and highly evasive campaign—one that legacy tools were never built to detect. Only behavioral AI can stop these threats before they reach employees’ inboxes—or their credentials reach the bad actor.

For even more insights into the threat landscape and predictions for where it’s headed, download our report, Inbox Under Siege: 5 Email Attacks You Need to Know for 2025.