Trusted Deception: Vercel-Hosted Flask Kit Mimics DocuSign Notifications

Phishing Lure: This campaign impersonates DocuSign-themed document sharing notifications.

Vercel Platform: The attacker deploys a Flask-based credential harvesting application on Vercel's trusted cloud platform.

Phishing Kit: A Flask-based simple phishing framework optimized for Vercel deployment with built-in evasion techniques, dynamic branding, and multiple credential collection stages.

Trusted Domain: The phishing site is hosted on Vercel's legitimate cloud platform which is typically not blocked by security gateways.

Dynamic Impersonation: The kit dynamically pulls organization branding and logos via API calls to create convincing, target-specific phishing interfaces.

CAPTCHA Protection: Implementation of CAPTCHA verification prevents automated scanning tools from analyzing the phishing content.

Behavioral Analysis: Abnormal’s Behavioral AI flags never-before-seen senders, unusual email content, and URLs as anomalies that enable the detection of novel attacks.

Content Analysis and Natural Language Processing: Abnormal understands the email's content, recognizing the urgency and financial implications as indicators of a financial themed attack.