Kaspersky has discovered that attackers have begun exploiting another legitimate service for malicious purposes – this time it is Tencent EdgeOne Pages, a platform for creating and hosting web applications. Attackers are misusing its capabilities to generate phishing emails targeting corporate users. Previously Kaspersky has described similar attacks leveraging Google services and web applications generated by Bubble, an AI-powered app builder, to hunt for corporate credentials.
Employees across multiple industries including the industrial sector, sales, and government are among the targets. The goal of the attack is to steal login credentials for corporate resources. Over the past 30 days, the company's experts have detected more than 8,000 phishing emails using this tactic, including messages in English, Korean, and Russian.
The Tencent EdgeOne Pages service is positioned as a platform for quickly creating and deploying web applications using AI. Scammers misuse it to generate and publish phishing pages in minutes with virtually no web development skills.
Attackers host phishing pages on EdgeOne’s legitimate cloud infrastructure and use trusted domains. As a result, such sites appear to be established and secure to many protective solutions, complicating the detection of such attacks.
How the attack begins
The user receives an email from the alleged “corporate email support team”. The message states that the account login credentials will expire in 48 hours, and that failure to update them may result in problems receiving or sending emails. To avoid restrictions, the user is prompted to click a link and enter relevant information. Phishing emails are not limited to this narrative, and could deliver any corporate message, such as a message from the HR department or a notification of a received document that should be downloaded.
Clicking the link in the email opens a page with a form for entering the victim’s name, email address, and password. It is a simple design, with virtually no additional elements.
A page that was set up by the attackers to collect credentials
After the user enters their login and password, the data is transferred to a server controlled by the attackers.
"We are seeing a continuation of the trend in which attackers use AI and no-code platforms as part of their phishing infrastructure. We've previously observed a similar scheme using the Bubble platform, and here we have yet another example. While the communication used in these phishing attacks is typical and has been used before multiple times, the attack technique itself significantly lowers the barrier to entry for attackers and accelerates the creation of phishing resources. Previously this required at least basic web development skills, but now an infrastructure for fraudulent emails can be created in minutes," comments Roman Dedenok, Anti-Spam Expert at Kaspersky.
To be protected, Kaspersky recommends:
· Educate employees so that they understand that corporate credentials should only be entered on verified, official company platforms.
· Deploy robust security solutions to block access to known and suspicious phishing destinations.
· Implement advanced anti-phishing technologies at the email gateway to reduce exposure to malicious messages.
· Stay updated on evolving attacker techniques and integrate threat intelligence into security operations.
