ON 6 February 2026, according to X-Labs, a cloud-hosted phishing campaign uses Vercel Blob storage and a Telegram bot to harvest data. The attack begins with a standard business email disguised as a procurement request, with a PDF attachment as the primary delivery mechanism, bypassing filters because the email body contains no malicious links and often passes SPF, DKIM and DMARC checks.
When opened, the attachment leads to a second PDF hosted on Vercel Blob, which redirects victims to a Dropbox-impersonation page designed to harvest credentials, with the stolen data exfiltrated to attacker-controlled command-and-control infrastructure. The attackers then collect the loot via a Telegram bot, transmitting credentials plus system and location information to a Telegram channel, while users are shown a fake “Login successful” alert.
This multi-layered chain—PDF to cloud to fake page—demonstrates how attackers are increasingly living off legitimate cloud infrastructure to bypass security checks and breach credentials.