What happened
The Vercel phishing abuse campaign used trusted hosted links to deliver remote access tooling to victims between November 2025 and January 2026. Threat actors sent phishing emails using invoice- and payment-themed lures (e.g., overdue invoices and service suspension warnings) to push recipients to click a link hosted on Vercel. After the click, the infrastructure performed browser fingerprinting (IP, device, browser, geolocation) and sent the collected details to a threat-actor-controlled Telegram channel, where automated checks filtered out suspected security researchers and sandbox environments. Approved victims were shown a fake document viewer and prompted to download an executable disguised as a business document. The payload was a legitimate signed copy of GoTo Resolve (formerly LogMeIn), enabling full remote control once executed. Cloudflare analysts identified the activity while investigating Vercel abuse patterns.
Who is affected
Organizations and end users who receive business-themed phishing emails and allow execution of downloaded “document” files are directly at risk. Exposure is direct when the remote access tool is installed, and indirect where users only click links but do not execute the payload.
Why CISOs should care
This campaign demonstrates “living off the land” remote access enablement using legitimate tooling (GoTo Resolve) delivered through a trusted hosting platform (Vercel), which can reduce detection efficacy and accelerate hands-on-keyboard compromise. It elevates risk for credential theft, persistence, lateral movement, and incident response complexity.
3 practical actions
- Tighten controls on remote access tooling: Restrict installation and execution of GoTo Resolve and similar RMM tools to approved endpoints via allowlists and application control.
- Strengthen phishing-resistant access paths: Require stronger verification for “invoice” and “document signing” workflows and block unsolicited executable downloads from web sessions.
- Detect conditional delivery behaviors: Monitor for browser-fingerprinting patterns, suspicious redirects, and outbound traffic to Telegram tied to link-click events.