Full Report
Threat actors are evading phishing detection in campaigns targeting Microsoft accounts by abusing the no-code app-building platform Bubble to generate and host malicious web apps. [...]
Analysis Summary
# Incident Report: Abuse of Bubble No-Code Platform for Microsoft Credential Theft
## Executive Summary
Threat actors are utilizing the "Bubble" no-code AI app-building platform to host malicious web applications designed to steal Microsoft account credentials. By leveraging Bubble’s legitimate infrastructure and complex, auto-generated JavaScript, attackers successfully bypass traditional email security filters and automated web analysis tools. The campaign primarily serves as a sophisticated redirection layer leading to adversary-in-the-middle (AiTM) phishing sites.
## Incident Details
- **Discovery Date:** Reported March 25, 2026
- **Incident Date:** Ongoing (Active campaign)
- **Affected Organization:** Users of Microsoft 365 services
- **Sector:** Cross-sector (General targeting)
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** 2026 (Active)
- **Vector:** Phishing via Email
- **Details:** Attackers send phishing emails containing links to legitimate `*.bubble.io` subdomains. Because the domain is trusted, the emails bypass Secure Email Gateways (SEGs).
### Lateral Movement
- **Details:** Not applicable in the initial stage; however, stolen Microsoft credentials are used to gain unauthorized access to corporate environments, enabling internal lateral movement.
### Data Exfiltration/Impact
- **Details:** Capture of Microsoft account credentials, including potential session cookie theft. This grants access to sensitive emails, calendars, OneDrive files, and SharePoint data.
### Detection & Response
- **How it was discovered:** Identified by Kaspersky researchers through analysis of evasive phishing traffic.
- **Response actions:** Reporting of malicious subdomains to Bubble for teardown; publication of threat intelligence to alert organizations.
## Attack Methodology
- **Initial Access:** Phishing emails using reputable hosting services.
- **Persistence:** Not specific to the Bubble app; maintained via stolen credentials/session tokens.
- **Defense Evasion:** Use of legitimate `*.bubble.io` domains; obfuscation via massive, AI-generated JavaScript bundles and "Shadow DOM" structures that trip up automated scanners.
- **Credential Access:** Fake Microsoft login portals; session cookie theft via AiTM (Adversary-in-the-Middle) techniques.
- **Lateral Movement:** Subsequent access to the victim’s Microsoft 365 ecosystem.
- **Impact:** Unauthorized access to corporate data and potential business email compromise (BEC).
## Impact Assessment
- **Financial:** High potential for BEC-related wire fraud.
- **Data Breach:** High risk; exposure of personal and corporate communications and documents.
- **Operational:** Disruption of secure communications; potential for account lockouts.
- **Reputational:** Risk to organizations whose employee accounts are used to propagate further attacks.
## Indicators of Compromise
- **Network indicators:**
- `hxxps[://]*[.]bubble[.]io/` (Monitor for unusual subdomains)
- Redirection links leading to Cloudflare-protected phishing infrastructure.
- **Behavioral indicators:**
- Users visiting `bubble.io` subdomains followed immediately by Microsoft credential prompts.
- Large, obfuscated JavaScript execution originating from no-code platform domains.
## Response Actions
- **Containment:** Blocked known malicious subdomains at the web proxy level.
- **Eradication:** Password resets and session revocation for affected Microsoft 365 accounts.
- **Recovery:** Implementation of hardware-based MFA to mitigate AiTM risks.
## Lessons Learned
- **Architecture over Reputation:** Security tools relying solely on domain reputation are easily bypassed by hosting malicious logic on trusted SaaS platforms ("Living off the Cloud").
- **AI Complexity:** Automated analysis tools struggle with the jumbled, high-volume code generated by AI app builders.
- **Cloud Trust:** Attackers are increasingly moving from "hosting" files to "building" apps on legitimate platforms to hide their intent.
## Recommendations
- **Technical Controls:** Implement FIDO2-compliant Multi-Factor Authentication (e.g., YubiKeys) to prevent session hijacking and AiTM phishing.
- **Monitoring:** Configure SIEM/EDR alerts for unusual traffic to app-building platforms like Bubble, AppSheet, or Glide.
- **Email Security:** Update email filters to flag emails containing links to "app-builder" domains from external or unknown senders.
- **Awareness:** Train employees to recognize that a "secure" or "trusted" domain in the URL bar does not guarantee the legitimacy of a login prompt.