Okta observes v0 AI tool used to build phishing sites

About the Author

Houssem Eddine Bordjiba

Senior Identity Threat Research Engineer

Houssem Eddine Bordjiba is a Senior Identity Threat Research Engineer at Okta, bringing over a decade of expertise in cyber threat intelligence and threat hunting. He focuses on tracking threat actor activities and leading investigations into their motivations, tactics, techniques, and procedures (TTPs). His deep understanding of adversaries' motives and TTPs allows him to provide actionable intelligence that strengthens the defenses of Okta and its customers against evolving cyber threats.

Houssem holds a Master's degree in Information Systems Security (MASc) from Concordia University in Montreal, Canada. Outside of work, Houssem enjoys an active lifestyle, pursuing his passions for soccer, martial arts, and various outdoor activities.

Paula De la Hoz

Cyber Threat Researcher

Paula De la Hoz is a Cyber Threat Researcher at Okta. Backed with experience in both red and blue team tasks, she is passionate about cybersecurity. Paula is involved in Spain’s Free Software community and enjoys climbing and biking when offline.

01 July 2025 Time to read: ~

Okta Threat Intelligence has observed threat actors abusing v0, a breakthrough Generative Artificial Intelligence (GenAI) tool created by Vercel, to develop phishing sites that impersonate legitimate sign-in webpages.

This observation signals a new evolution in the weaponization of Generative AI by threat actors who have demonstrated an ability to generate a functional phishing site from simple text prompts. Okta researchers were able to reproduce our observations.

Vercel’s v0.dev is an AI-powered tool that allows users to create web interfaces using natural language prompts. Okta has observed this technology being used to build replicas of the legitimate sign-in pages of multiple brands, including an Okta customer.

Vidyard video

Further investigation revealed that phishing page resources, including impersonated company logos, were also hosted on Vercel's infrastructure. Threat actors will, at times, host all elements of a phishing site within the same trusted platform to make the site appear more legitimate. This is an attempt to evade detection based on resources extracted from CDN logs or hosted on disparate or known-malicious infrastructure.

Vercel has restricted access to the identified phishing sites, and worked with Okta on methods of reporting additional phishing infrastructure.

The observed activity confirms that today’s threat actors are actively experimenting with and weaponizing leading GenAI tools to streamline and enhance their phishing capabilities. The use of a platform like Vercel's v0.dev allows emerging threat actors to rapidly produce high-quality, deceptive phishing pages, increasing the speed and scale of their operations.

In addition to Vercel's v0.dev platform, various public GitHub repositories offer direct clones of the v0.dev application or do-it-yourself (DIY) guides for building bespoke generative tools. This open-source proliferation effectively democratizes advanced phishing capabilities, providing the tools for adversaries to create their own phishing infrastructure.

Okta Threat Intelligence also observed threat actors abusing the Vercel platform to host multiple phishing sites impersonating legitimate brands, including Microsoft 365 and cryptocurrency companies. Okta customers can access the detailed security advisory in the Security Trust Center.

Customer recommendations

This incident highlights a critical new vector in the phishing landscape. As generative AI tools become more powerful and accessible, organizations and their security teams must adapt to the reality of AI-driven social engineering and credential harvesting attacks.

Organizations can no longer rely on teaching users how to identify suspicious phishing sites based on imperfect imitation of legitimate services. The only reliable defence is to cryptographically bind a user’s authenticator to the legitimate site they enrolled in. 

This is the technique that powers Okta FastPass, the passwordless method built into Okta Verify. When phishing resistance is enforced in policy, the authenticator will not allow the user to sign into any resource but the origin (domain) established during enrollment. Put simply, the user cannot be tricked into handing over their credentials to a phishing site.

Okta Threat Intelligence recommends the following defense tactics:

  • Enforce phishing-resistant authentication: Configure your org to require phishing-resistant authentication — like Okta FastPass, which provides additional security assurance against credential-based threats — and prioritize the disabling of old, less secure factors. Learn more about phishing prevention in our comprehensive guide.

  • Bind access to trusted devices: Authentication policies can be used to restrict access to user accounts based on a range of customer-configurable prerequisites. We recommend administrators restrict access to sensitive applications and data to only those devices that are registered with Okta or managed by Endpoint Management tools and assessed to have a strong security posture. This can prevent an attacker armed with stolen credentials from accessing sensitive resources. 

  • Require step-up authentication for anomalous access: Okta Network Zones can be used to control access by location, ASN (Autonomous System Number), IP, and whether the IP address is associated with anonymizing services. Okta Behavior Detection can be used to trigger step-up authentication, deny access or trigger other workflows when a user’s sign-in behavior deviates from a previous pattern of activity.

  • Enhance security awareness: Enhance internal security awareness training to account for AI-generated threats.

To learn more about these threats and how to stay safe, visit the security advisory in our Security Trust Center (for Okta customers). For the latest news and insights in identity and security, subscribe to our Access Granted LinkedIn newsletter.

About the Author

Houssem Eddine Bordjiba

Senior Identity Threat Research Engineer

Houssem Eddine Bordjiba is a Senior Identity Threat Research Engineer at Okta, bringing over a decade of expertise in cyber threat intelligence and threat hunting. He focuses on tracking threat actor activities and leading investigations into their motivations, tactics, techniques, and procedures (TTPs). His deep understanding of adversaries' motives and TTPs allows him to provide actionable intelligence that strengthens the defenses of Okta and its customers against evolving cyber threats.

Houssem holds a Master's degree in Information Systems Security (MASc) from Concordia University in Montreal, Canada. Outside of work, Houssem enjoys an active lifestyle, pursuing his passions for soccer, martial arts, and various outdoor activities.

Paula De la Hoz

Cyber Threat Researcher

Paula De la Hoz is a Cyber Threat Researcher at Okta. Backed with experience in both red and blue team tasks, she is passionate about cybersecurity. Paula is involved in Spain’s Free Software community and enjoys climbing and biking when offline.

Get our Identity newsletter

Okta newsletter image