A new phishing framework named GhostFrame, built around a stealthy iframe architecture, has been linked to more than one million attacks.
The kit, discovered by cybersecurity experts at Barracuda, relies on techniques that differ from known Phishing-as-a-Service (PhaaS) offerings.
How GhostFrame Works
At the center of GhostFrame’s design is a simple HTML file that poses as a benign landing page while concealing malicious behavior within an embedded iframe.
This structure allows attackers to swap phishing content, adjust regional targets or evade scanners without changing the outward-facing page. Barracuda reported that while iframe abuse is common, this is the first time an entire phishing framework has been structured around it.
GhostFrame’s attack chain unfolds in two stages. The visible outer page carries no typical phishing markers and relies on light obfuscation plus dynamic code that generates a new subdomain for every visitor.
Hidden within are pointers that load a secondary phishing page inside the iframe. This internal page contains the actual credential-harvesting components, which are buried inside a feature meant for streaming very large files to sidestep static detection tools.
Read more on phishing attack trends: 752,000 Browser Phishing Attacks Mark 140% Increase YoY
The kit’s emails vary widely, switching between themes such as fake contract notices or HR updates. Subject lines have included “Secure Contract & Proposal Notification,” “Annual Review Reminder” and “Invoice Attached” and “Password Reset Request.”
Barracuda identified two forms of the GhostFrame source code: one obfuscated and one readable, with the latter containing developer comments.
The kit includes anti-analysis controls that disable right-click actions, block the F12 key and stop common shortcuts used to inspect page code. Even the Enter key is restricted, limiting attempts to save or examine the page.
GhostFrame also uses randomized subdomains for delivery. A loader script validates each subdomain before revealing the malicious iframe, then manages the browser environment based on messages sent from within the iframe. If scripts fail, a hard-coded fallback iframe ensures the attack continues.
Defensive Measures
To defend against similar threats, Barracuda recommends a strategy that includes:
-
Enforcing regular browser updates
-
Training staff to avoid unsolicited links and check URLs carefully
-
Deploying email gateways and web filters to spot suspicious iframes
-
Restricting iframe embedding on corporate sites and scanning for injection risks
-
Monitoring for unusual redirects or embedded content
“A multilayered approach is needed to protect emails and employees against GhostFrame and similar stealthy phishing attacks,” the company concluded.
