Bubble AI app builder abused to steal Microsoft account credentials

Published:

25 maart 2026 om 19:48:36

Alert date:

25 maart 2026 om 20:00:51

Source:

bleepingcomputer.com

Web Technologies, Identity & Access, Emerging Technologies, Email & Messaging

Threat actors are exploiting the Bubble no-code app-building platform to create and host malicious web applications designed to steal Microsoft account credentials. This technique allows attackers to evade traditional phishing detection mechanisms by leveraging legitimate infrastructure. The campaign specifically targets Microsoft users through sophisticated phishing applications that appear legitimate due to their hosting on the trusted Bubble platform. This represents a novel abuse of legitimate development platforms for credential harvesting purposes.

Technical details

Threat actors are using the no-code AI-powered Bubble platform to create malicious web apps hosted on *.bubble.io domains to evade phishing detection. The apps consist of large, complex JavaScript bundles and Shadow DOM-heavy structures that are difficult to analyze and not flagged by automated security tools. These apps redirect users to fake Microsoft login portals, sometimes hidden behind Cloudflare checks, to steal credentials for Microsoft 365 accounts.

Mitigation steps:

Monitor for suspicious *.bubble.io domains in email communications, implement enhanced scrutiny of no-code platform-generated applications, strengthen email security solutions to detect legitimate platform abuse, and educate users about phishing tactics using trusted domains

Affected products:

Bubble platform
Microsoft 365
Microsoft accounts