In a troubling development for enterprise cybersecurity, threat actors have enhanced a sophisticated phishing campaign that leverages trusted cloud services to bypass email filters and infect victims with remote access software. According to a January 2026 Cloudflare Cloudforce One threat snapshot, this campaign has not only persisted from late 2025 but evolved technologically to become more difficult to detect and disrupt.

From Simple Phishing to New Delivery Techniques

At its core, this campaign exploits the inherent trust users place in legitimate hosting services, specifically Vercel’s *.vercel.app domains. Vercel is a widely used platform for deploying static sites, and its domains are typically considered safe by email filters and security gateways. Attackers take advantage of that trust by embedding malicious links hosted on these domains into phishing emails that appear to be business-related — for example, urgent invoices, payment reminders, or shipment documents.

The real innovation, however, lies in how these malicious pages determine whether to serve a payload. Unlike older campaigns that simply hosted malicious files directly on cloud platforms, this threat uses a Telegram-based conditional delivery system. Before showing the victim a fake document or download page, the malicious Vercel site performs browser fingerprinting — gathering data about the visitor’s device, location, and IP address — and sends that information to a Telegram-controlled channel. Based on this assessment, the attacker’s infrastructure decides whether the visitor is a real human in a target region or a security researcher or sandbox environment trying to analyze the threat. Only “valid” victims are served the next stage of the attack.

The Lure: Social Engineering and Trust

The phishing emails are crafted with psychological precision. Rather than attaching a malicious file, they embed links disguised as legitimate resources — like PDF downloads for invoices that are allegedly overdue, or links to documents that require immediate review to prevent service disruption. The combination of believable business themes and a trusted domain encourages users to click links they otherwise might ignore. In some cases, attackers may even impersonate technical support staff to “help” the victim resolve a supposed problem.

This social-engineering technique is powerful because it hinges not on exploiting software flaws but on exploiting human trust. A familiar URL combined with a plausible scenario reduces suspicion and increases the chances of engagement.

Hidden Payload and Remote Access Abuse

If the targeted user is determined to be legitimate, they are served a download link for a file that appears to be a harmless document. In reality, this is an executable file — often named something like “Invoice06092025.exe.bin” — that, once run, installs a remote access tool known as GoTo Resolve. This software is not inherently malicious and is digitally signed, which enables it to evade many traditional antivirus detections. Attackers misuse this legitimate remote support software as a “Living off the Land” (LotL) tool, granting them unfettered access to the victim’s system.

Once installed, the remote access software connects to remote servers controlled by the attackers, enabling them to issue commands, exfiltrate data, or deploy additional malicious tools, effectively turning the victim’s machine into a full-blown backdoor into corporate networks.

Strategies for Detection and Mitigation

Cloudflare’s threat intelligence emphasizes that protecting against campaigns like this requires more than simple signature-based detection. Enterprises should adopt link-analysis and time-of-click inspection tools that examine whether a link points to an abused service rather than a legitimate one. Security teams should also monitor subdomains of high-risk hosting providers, such as vercel.app and similar platforms used for static site hosting, and flag unusual usage patterns.

Moreover, application control and whitelisting can prevent unauthorized installation of remote support tools. Enforcing strict policies about what software users can install reduces the risk of these malicious payloads gaining a foothold. Finally, robust phishing awareness training is essential: users must be taught that a padlock icon or familiar domain name doesn’t guarantee safety, especially when coerced by urgent language.

Looking Ahead

This campaign highlights the dynamic nature of cyber threats. Instead of relying solely on custom malware, attackers now lean on legitimate services and conditional delivery pipelines to maximize stealth and impact. Organizations must adapt by combining advanced technical defenses with ongoing user education and vigilant threat monitoring if they hope to stay ahead of emerging phishing strategies.