Abuse of Bubble AI app builder infrastructure in credential phishing campaigns targeting Microsoft accounts
Summary
Hide ▲
Show ▼
Threat actors are leveraging the no-code AI-powered app-building platform Bubble to host and deliver credential phishing web apps targeting Microsoft accounts. The malicious apps, hosted on Bubble’s trusted *.bubble.io domain, evade email security controls by bypassing static and automated analysis due to their complex JavaScript and Shadow DOM structures. Users are redirected to phishing portals mimicking Microsoft login interfaces, often protected by Cloudflare checks, to harvest credentials for Microsoft 365 access, including email, calendar, and sensitive data.
Timeline
-
25.03.2026 21:48 1 articles · 3h ago
Credential phishing campaigns target Microsoft accounts via Bubble AI app builder abuse
Threat actors are hosting malicious web apps on Bubble’s *.bubble.io domain to deliver phishing pages mimicking Microsoft login portals. Complex JavaScript and Shadow DOM structures within Bubble-generated apps evade static and automated analysis, allowing campaigns to bypass email security controls and Cloudflare-based anti-analysis checks. Credentials entered on these phishing pages are exfiltrated to threat actors for access to Microsoft 365 accounts, including email and calendar data.
Show sources
- Bubble AI app builder abused to steal Microsoft account credentials — www.bleepingcomputer.com — 25.03.2026 21:48
Information Snippets
-
Malicious Bubble apps are generated using AI-driven platform features, producing large, obfuscated JavaScript bundles and Shadow DOM structures that evade static and automated security analysis tools.
First reported: 25.03.2026 21:481 source, 1 articleShow sources
- Bubble AI app builder abused to steal Microsoft account credentials — www.bleepingcomputer.com — 25.03.2026 21:48
-
Phishing campaigns exploit Bubble’s hosting infrastructure under the *.bubble.io domain, a trusted domain unlikely to trigger email security warnings.
First reported: 25.03.2026 21:481 source, 1 articleShow sources
- Bubble AI app builder abused to steal Microsoft account credentials — www.bleepingcomputer.com — 25.03.2026 21:48
-
Phishing pages often mimic Microsoft login portals and may include Cloudflare checks to hinder automated detection and analysis.
First reported: 25.03.2026 21:481 source, 1 articleShow sources
- Bubble AI app builder abused to steal Microsoft account credentials — www.bleepingcomputer.com — 25.03.2026 21:48
-
Stolen Microsoft account credentials are used to access email, calendar, and other sensitive Microsoft 365 data associated with compromised accounts.
First reported: 25.03.2026 21:481 source, 1 articleShow sources
- Bubble AI app builder abused to steal Microsoft account credentials — www.bleepingcomputer.com — 25.03.2026 21:48
-
Kaspersky researchers warn that this tactic will likely be adopted by phishing-as-a-service (PhaaS) platforms and integrated into broader phishing kits, enhancing evasion capabilities for lower-tier cybercriminals.
First reported: 25.03.2026 21:481 source, 1 articleShow sources
- Bubble AI app builder abused to steal Microsoft account credentials — www.bleepingcomputer.com — 25.03.2026 21:48