Kaspersky has uncovered a new phishing campaign in which cybercriminals are abusing Tencent EdgeOne Pages, an AI-powered web application hosting platform, to create and deploy credential-stealing websites targeting corporate users.
According to Kaspersky researchers, attackers are leveraging the legitimate cloud-based service to rapidly generate phishing pages with little to no web development expertise. Over the past 30 days, the cybersecurity company detected more than 8,000 phishing emails linked to the campaign, with messages distributed in English, Korean, and Russian.
The attacks target employees across multiple sectors, including government, industrial, and sales organizations. The primary objective is to steal login credentials for corporate accounts and internal systems.

An example of a phishing email used in a recent cyber campaign uncovered by Kaspersky. The message impersonates a corporate support team and attempts to trick recipients into clicking a malicious link and entering their login credentials on a fraudulent website hosted through legitimate cloud infrastructure.
The phishing emails typically impersonate corporate IT support teams and warn recipients that their email credentials are about to expire. Victims are urged to click a link and update their login information to avoid service disruptions. Similar lures may also appear as HR notifications or document-sharing requests.

A credential-harvesting page set up by attackers as part of a phishing campaign, designed to collect usernames and passwords entered by victims. The page mimics a simple login form and is hosted on compromised or legitimate-looking infrastructure to increase credibility and evade detection.
Once users click the embedded link, they are directed to a fraudulent webpage hosted on Tencent EdgeOne’s legitimate cloud infrastructure. The page prompts victims to enter their name, email address, and password. Submitted credentials are then transmitted directly to servers controlled by the attackers.
Kaspersky noted that hosting phishing pages on trusted cloud platforms presents a growing challenge for security teams. Because the websites use legitimate domains and infrastructure, they may appear more trustworthy to users and can be harder for traditional security tools to detect.
“We are seeing a continuation of the trend in which attackers use AI and no-code platforms as part of their phishing infrastructure,” said Roman Dedenok, Anti-Spam Expert at Kaspersky. “The attack technique significantly lowers the barrier to entry for attackers and accelerates the creation of phishing resources.”
The discovery follows earlier incidents where threat actors exploited services such as Google platforms and Bubble, an AI-powered application builder, to create phishing infrastructure.
Kaspersky recommends that organizations strengthen employee cybersecurity awareness, deploy advanced anti-phishing protections, secure email gateways, and integrate threat intelligence into security operations to defend against evolving AI-assisted cyber threats.
The findings highlight how cybercriminals are increasingly exploiting AI-powered and no-code development platforms to scale phishing operations, creating new challenges for enterprise cybersecurity teams worldwide.


