Phishing Threats Exploit Bubble AI App Builder for Microsoft Credential Theft

Severity: High (Score: 67.5)

Sources: Bleepingcomputer, Kaspersky

Summary

Cybercriminals are leveraging the no-code app-building platform Bubble to create and host malicious web applications that target Microsoft accounts. These phishing campaigns utilize legitimate Bubble-hosted URLs, which evade detection by email security solutions, allowing users to unknowingly access fraudulent login pages. The malicious apps often mimic Microsoft login portals and may include additional checks to bypass security measures. Credentials entered on these fake pages are captured by attackers, potentially compromising sensitive Microsoft 365 data. Kaspersky researchers have noted that the complexity of the generated JavaScript and Shadow DOM structures makes it difficult for automated analysis tools to flag these sites as malicious. This tactic is likely to be adopted by phishing-as-a-service platforms, increasing the stealth of such attacks. The situation is evolving, with security experts urging vigilance against this new method of phishing. Key Points: • Phishers are using Bubble to create deceptive web apps for credential theft. • Legitimate URLs from Bubble evade detection by email security systems. • The complexity of the generated code complicates automated threat analysis.

Key Entities

• Phishing (attack_type)
• bubble.io (domain)
• T1566.002 - Spearphishing Link (mitre_attack)
• T1566 - Phishing (mitre_attack)
• Bubble (platform)
• Google Tasks (platform)
• Microsoft 365 (platform)
• Cloudflare (company)
• Microsoft (company)
• Phishing-as-a-service Platforms (tool)
• Phishing Kits (tool)