Cybercriminals Exploit Bubble.io No-Code Platform for Phishing Attacks
Security researchers at Kaspersky have uncovered a new phishing tactic where cybercriminals abuse Bubble.io, a legitimate no-code app development platform, to bypass email security filters and steal Microsoft 365 credentials.
Attackers leverage Bubble.io’s drag-and-drop editor or its AI chatbot to create malicious web apps with embedded phishing functionality, hosted on the platform’s trusted domain. Since the apps reside on bubble.io, email security tools fail to flag them, allowing phishing emails to reach victims’ inboxes undetected.
The phishing apps often mimic Microsoft login portals, sometimes hidden behind a Cloudflare verification check. Unsuspecting users who enter their credentials unknowingly hand them over to attackers, who can then exploit access for data theft, ransomware deployment, or further attacks on organizations.
Kaspersky warns that this technique is likely to gain traction, particularly among Phishing-as-a-Service (PhaaS) providers, which already offer advanced features like 2FA code interception, geo-fencing to evade analysis, and AI-generated phishing emails. The abuse of legitimate platforms like Bubble.io makes these attacks harder to detect and more scalable for less-skilled threat actors.
While this method is new, cybercriminals have long exploited trusted services such as PayPal, Google Tasks, and Microsoft Azure Monitor alerts to enhance phishing campaigns. Bubble.io has not yet responded to reports of the abuse, and no official statement has been issued.
The discovery highlights an ongoing trend of threat actors weaponizing legitimate tools to evade security measures.
Bubble cybersecurity rating report: https://www.rankiteo.com/company/bubble
"id": "BUB1774549511",
"linkid": "bubble",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Users of Microsoft 365 '
'credentials targeted by '
'phishing attacks',
'industry': 'Technology/SaaS',
'name': 'Bubble.io (abused platform)',
'type': 'No-code app development platform'}],
'attack_vector': 'Malicious web apps hosted on legitimate platform '
'(Bubble.io)',
'data_breach': {'data_exfiltration': 'Yes (credentials stolen)',
'personally_identifiable_information': 'Potentially (if '
'credentials include '
'PII)',
'sensitivity_of_data': 'High (corporate and personal '
'accounts)',
'type_of_data_compromised': 'Credentials (Microsoft 365)'},
'description': 'Security researchers at Kaspersky have uncovered a new '
'phishing tactic where cybercriminals abuse Bubble.io, a '
'legitimate no-code app development platform, to bypass email '
'security filters and steal Microsoft 365 credentials. '
'Attackers leverage Bubble.io’s drag-and-drop editor or its AI '
'chatbot to create malicious web apps with embedded phishing '
'functionality, hosted on the platform’s trusted domain. Since '
'the apps reside on bubble.io, email security tools fail to '
'flag them, allowing phishing emails to reach victims’ inboxes '
'undetected. The phishing apps often mimic Microsoft login '
'portals, sometimes hidden behind a Cloudflare verification '
'check. Unsuspecting users who enter their credentials '
'unknowingly hand them over to attackers, who can then exploit '
'access for data theft, ransomware deployment, or further '
'attacks on organizations.',
'impact': {'data_compromised': 'Microsoft 365 credentials',
'identity_theft_risk': 'High',
'operational_impact': 'Potential unauthorized access to '
'organizational systems',
'systems_affected': 'Microsoft 365 accounts, organizational '
'networks'},
'initial_access_broker': {'entry_point': 'Phishing emails with malicious '
'Bubble.io-hosted apps',
'high_value_targets': 'Microsoft 365 users'},
'investigation_status': 'Ongoing (researchers have uncovered the tactic)',
'lessons_learned': 'Legitimate platforms can be abused to bypass security '
'measures, increasing the sophistication of phishing '
'attacks. Organizations should enhance email security and '
'user awareness to detect such threats.',
'motivation': 'Credential theft, data theft, ransomware deployment, financial '
'gain',
'post_incident_analysis': {'corrective_actions': 'Bubble.io may need to '
'implement stricter '
'monitoring and takedown '
'procedures for malicious '
'apps. Organizations should '
'enhance phishing detection '
'mechanisms.',
'root_causes': 'Abuse of Bubble.io’s trusted '
'domain to bypass email security '
'filters, lack of detection for '
'phishing apps hosted on legitimate '
'platforms.'},
'recommendations': ['Implement advanced email security solutions to detect '
'phishing attempts hosted on trusted domains.',
'Educate users on recognizing phishing attempts, even '
'when they appear to come from legitimate sources.',
'Monitor for unusual login activity on Microsoft 365 '
'accounts.',
'Consider multi-factor authentication (MFA) to mitigate '
'credential theft risks.'],
'references': [{'source': 'Kaspersky'}],
'response': {'third_party_assistance': 'Kaspersky (security researchers)'},
'threat_actor': 'Cybercriminals, Phishing-as-a-Service (PhaaS) providers',
'title': 'Cybercriminals Exploit Bubble.io No-Code Platform for Phishing '
'Attacks',
'type': 'Phishing',
'vulnerability_exploited': 'Abuse of trusted domain (bubble.io) to bypass '
'email security filters'}