Bubble AI App Builder Abused to Steal Microsoft Account Credentials

Bubble AI app builder abused to steal Microsoft account credentials

Threat actors are moving phishing campaigns away from obvious links and suspicious domains, exploiting the no-code app-building platform Bubble to generate and host malicious web applications. What makes this approach particularly troubling is that the web apps ride on a legitimate hosting infrastructure, which means traditional email security scanners and many URL reputation checks fail to flag the link as dangerous. When a user clicks through, they are redirected to a phishing page that imitates a Microsoft login portal, and in some cases sits behind a Cloudflare check that further obscures the page’s true nature.

Security researchers have observed that this technique is designed to elude automated defenses by embedding the actual credential-collecting surface behind a legitimate service. The phishers take advantage of Bubble’s core strength: a platform that lets anyone describe an application, after which Bubble generates the backend logic and frontend automatically. The resulting apps are hosted under a domain like *.bubble.io, a trusted-sounding address that is unlikely to trigger warnings from standard security tools. The deception hinges on the perception of legitimacy rather than on suspicious URL indicators.

What makes the Bubble-driven phishing pages hard to detect is their structure. Researchers describe the code as a dense mass of JavaScript bundles and Shadow DOM-heavy architectures. This combination creates a layer of opacity that makes it difficult for analysts—whether automated or human—to quickly determine what a page is doing. The Shadow DOM isolates internal components from the main DOM, which means that even seasoned developers can struggle to understand the page’s true function at a glance. In practice, this obscurity means automated web-code analysis tools may misclassify such pages as benign, simply because they appear to function as legitimate sites rather than as redirects to a separate phishing page.

Code fragments observed in these Bubble-based apps underscore the challenge. Large, intertwined JavaScript bundles are generated by the platform, and Shadow DOM structures create additional insulation around the app’s logic. For defenders, this is a reminder that no-code platforms, while powerful and convenient for legitimate development, can inadvertently create novel surfaces for abuse. When a Bubble app is used as a harbor for a phishing scheme, a victim’s interaction with the page—entering credentials on what looks like a Microsoft login form—can be enough to trigger a credential theft event without triggering familiar red flags on the security stack.

The workflow, as described by researchers, typically begins with the attacker configuring a Bubble app that contains a convincing Microsoft-themed login page. The app may present a familiar layout, branding cues, and even a faux security prompt designed to prompt quick action from the user. Once login credentials are entered, they are siphoned off to the attacker, who can then attempt to access the target Microsoft 365 environment—including email, calendar data, and other sensitive information associated with the account. The fact that the page can be hosted on Bubble’s infrastructure and then redirected to a more convincing live login surface creates an additional hurdle for incident responders: by the time a user reports suspicious activity, the temporary nature and legitimate hosting behind the phishing page can complicate rapid takedown and attribution.

Kaspersky researchers have been particularly vocal about the risks associated with this approach. They highlight that the platform’s generated code is not only complex but also whether or not a viewer has the expertise, it’s challenging to ascertain the page’s true intent. Automated analysis tools can be misled by the apparent functionality of the site, while human analysts may need to dig through layers of code to understand how data pathways operate. The takeaway is not just about Bubble; it’s a reminder that the ecosystem surrounding no-code tools—when combined with robust scripting and modern web technologies—can enable attackers to orchestrate sophisticated, hard-to-detect campaigns from what looks like ordinary, legitimate infrastructure.

This development fits into a broader trend in phishing and credential theft: the rise of phishing-as-a-service (PhaaS) platforms that provide ready-made tools, templates, and hosting environments for would-be criminals. The same ecosystems that deliver legitimate automation and rapid deployment now offer session cookie theft capabilities, adversary-in-the-middle (AiTM) layers designed to bypass two-factor authentication, geo-fencing, and anti-analysis techniques, along with AI-generated email content to further personalize and automate campaigns. The abuse of a widely used, trusted platform to host phishing apps enhances stealth and reach, enabling threat actors—often with limited technical expertise—to launch convincing campaigns at scale.

The implications extend beyond a single phishing incident. If such abuse becomes common, security teams face a dual challenge: defending against traditional phishing indicators while understanding and detecting the subtle, platform-specific signals that accompany no-code-driven campaigns. The use of reputable hosting domains like bubble.io can erode trust in the basic heuristics defenders rely on, creating a gap that attackers may exploit as they expand their toolkit with more sophisticated evasion techniques.

Industry observers note that the tactic is likely to be adopted by other no-code and low-code platforms as well. The combination of ease of app creation, rapid deployment, and trusted hosting environments is attractive for legitimate developers—and equally appealing for adversaries seeking to scale their operations. In this environment, defenders may need to broaden their detection strategies to account for code that looks “normal” on the surface but hides a malicious intention beneath layers of legitimate functionality. This could include deeper examination of how a page loads resources, how redirection flows are implemented, and how credentials are transmitted and stored within the app's technical stack.

From a response perspective, the community’s approach must adapt to the realities of modern no-code ecosystems. While Bubble and similar platforms offer powerful capabilities for rapid development, their legitimacy can be weaponized if offensive actors gain the ability to customize, host, and distribute phishing pages with minimal friction. As defenders, researchers emphasize the importance of heuristics that consider not only the final login surface but the entire app’s behavior: unusual resource loading patterns, atypical cross-origin requests, and inconsistencies between the apparent user interface and the underlying data flows. In practice, this means security teams should consider more nuanced examinations of third-party app hosts and the possibility that a well-known platform could be the gateway for credential phishing campaigns.

In summary, the emergence of Bubble-based phishing pages that target Microsoft accounts highlights a disturbing shift in how attackers deploy fraud at scale. By leveraging no-code platforms and trusted hosting environments, phishers can produce convincing, hard-to-detect campaigns that siphon credentials and threaten access to sensitive corporate data. The convergence of no-code tooling, Shadow DOM-driven page isolation, and AI-assisted content generation creates a potent mix that keeps defenders on their toes. As this landscape evolves, it will require a combination of improved platform-level abuse controls, enhanced analytics that can surface stealthy redirection patterns, and a broader awareness within organizations about the new vectors attackers may exploit—even those that ride on the most familiar and trusted digital infrastructure.