• Home
  • cyber
  • Microsoft and Bubble: Bubble AI app builder abused to steal Microsoft account credentials
cyber Cyber Attack

Microsoft and Bubble: Bubble AI app builder abused to steal Microsoft account credentials

Mar 25, 2026 2 min read
Microsoft and Bubble: Bubble AI app builder abused to steal Microsoft account credentials

Cybercriminals Exploit Bubble’s No-Code Platform to Bypass Phishing Detection

Threat actors are leveraging Bubble, a no-code app-building platform, to host malicious web apps that evade phishing detection in campaigns targeting Microsoft accounts. By abusing the platform’s legitimate infrastructure, attackers create apps that redirect users to fake Microsoft login portals often hidden behind Cloudflare checks to steal credentials for Microsoft 365 access.

Security researchers at Kaspersky identified the tactic, noting that apps hosted on Bubble’s trusted bubble.io domain bypass email security filters. The malicious apps use complex JavaScript bundles and Shadow DOM structures, making them difficult for automated analysis tools to flag as threats. Even manual inspection is challenging, as the generated code appears as a "massive jumble" of legitimate-looking scripts.

Once victims enter credentials on the fake login pages, attackers harvest them to access emails, calendars, and other sensitive data. The method’s stealth and scalability raise concerns that phishing-as-a-service (PhaaS) platforms may adopt it, integrating it into kits that already include 2FA bypasses, session cookie theft, and AI-generated phishing emails.

Bubble has not yet responded to inquiries about potential anti-abuse measures. The abuse of no-code platforms marks a growing trend in evasion techniques, complicating detection for both automated systems and security teams.

Source: https://www.bleepingcomputer.com/news/security/bubble-ai-app-builder-abused-to-steal-microsoft-account-credentials/

Microsoft TPRM report: https://www.rankiteo.com/company/microsoft-security

Bubble TPRM report: https://www.rankiteo.com/company/bubble-hq

"id": "micbub1774470256",
"linkid": "microsoft-security, bubble-hq",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'Users of Microsoft accounts and '
                                              'Microsoft 365',
                        'industry': 'Software/Cloud Services',
                        'name': 'Microsoft',
                        'size': 'Large',
                        'type': 'Technology'},
                       {'industry': 'No-Code Platform',
                        'name': 'Bubble',
                        'type': 'Technology'}],
 'attack_vector': 'Malicious web apps hosted on legitimate no-code platform',
 'data_breach': {'data_exfiltration': 'Yes (credentials harvested)',
                 'personally_identifiable_information': 'Yes (Microsoft '
                                                        'account credentials)',
                 'sensitivity_of_data': 'High (emails, calendars, sensitive '
                                        'business data)',
                 'type_of_data_compromised': 'Credentials (Microsoft 365)'},
 'description': 'Threat actors are leveraging Bubble, a no-code app-building '
                'platform, to host malicious web apps that evade phishing '
                'detection in campaigns targeting Microsoft accounts. By '
                'abusing the platform’s legitimate infrastructure, attackers '
                'create apps that redirect users to fake Microsoft login '
                'portals often hidden behind Cloudflare checks to steal '
                'credentials for Microsoft 365 access.',
 'impact': {'data_compromised': 'Microsoft 365 credentials (emails, calendars, '
                                'sensitive data)',
            'identity_theft_risk': 'High',
            'systems_affected': 'Microsoft accounts, Microsoft 365 services'},
 'initial_access_broker': {'entry_point': 'Malicious web apps hosted on '
                                          'Bubble’s platform',
                           'high_value_targets': 'Microsoft 365 users'},
 'investigation_status': 'Ongoing',
 'lessons_learned': 'Abuse of no-code platforms for phishing evasion is a '
                    'growing trend, complicating detection for automated '
                    'systems and security teams. Complex JavaScript and Shadow '
                    'DOM structures can bypass traditional security filters.',
 'motivation': 'Credential theft for Microsoft 365 access',
 'post_incident_analysis': {'root_causes': 'Abuse of legitimate no-code '
                                           'platform infrastructure, evasion '
                                           'techniques (complex JavaScript, '
                                           'Shadow DOM), lack of anti-abuse '
                                           'measures on Bubble’s platform'},
 'recommendations': 'Enhance phishing detection mechanisms to account for '
                    'no-code platform abuse, improve manual inspection '
                    'processes for complex JavaScript bundles, and monitor for '
                    'unusual login activity on Microsoft 365 accounts.',
 'references': [{'source': 'Kaspersky'}],
 'response': {'third_party_assistance': 'Kaspersky (security researchers)'},
 'title': 'Cybercriminals Exploit Bubble’s No-Code Platform to Bypass Phishing '
          'Detection',
 'type': 'Phishing',
 'vulnerability_exploited': 'Abuse of Bubble’s no-code platform '
                            'infrastructure, complex JavaScript bundles, '
                            'Shadow DOM structures'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.