Bubble-based Microsoft account phishing campaign
Campaign
Summary
Hide ▲
Show ▼
Threat actors are running an active phishing campaign that abuses Bubble-hosted web apps to evade detection while targeting Microsoft accounts. The setup matters because trusted .bubble.io links can slip past email security controls and deliver victims to fake Microsoft login pages. Stolen credentials may then be used to access Microsoft 365 email, calendar, and other sensitive data.
Related Happenings
Code of conduct-themed Microsoft AiTM phishing campaign
Campaign
First: 05.05.2026 09:35
Last: 05.05.2026 09:35
Sources 1
About this happening:
A **large-scale phishing campaign** used code of conduct-themed lures and **legitimate email services** to push victims to attacker-controlled domains and steal **authentication t...
Code of conduct-themed Microsoft AiTM phishing campaign
CampaignAbout this happening: A **large-scale phishing campaign** used code of conduct-themed lures and **legitimate email services** to push victims to attacker-controlled domains and steal **authentication t...
FakeWallet crypto wallet phishing campaign targeting users in China
Campaign
First: 21.04.2026 00:52
Last: 21.04.2026 00:52
Sources 1
About this happening:
The **FakeWallet** campaign is actively distributing **26 malicious apps** that impersonate crypto wallets and steal **seed phrases**, putting **users in China** at immediate risk...
FakeWallet crypto wallet phishing campaign targeting users in China
CampaignAbout this happening: The **FakeWallet** campaign is actively distributing **26 malicious apps** that impersonate crypto wallets and steal **seed phrases**, putting **users in China** at immediate risk...
Latest development: 24.04.2026 14:48
Kaspersky said the FakeWallet campaign is gaining momentum with new tactics, including phishing apps published in the Apple App Store, cold wallet impersonation, and phishing notifications, and suspected it may be the work of threat actors linked to SparkKitty because some infected apps use OCR to steal wallet recovery phrases and the two campaigns share native Chinese-speaking operators and cryptocurrency targeting.
Microsoft AiTM payroll pirate attack mitigation
Advisory/Mitigation
First: 10.04.2026 14:56
Last: 10.04.2026 14:56
Sources 1
About this happening:
**Microsoft** is urging defenders to harden **Microsoft 365** and related **HR workflows** against **AiTM**-driven payroll theft by requiring **phishing-resistant MFA**, blocking...
Microsoft AiTM payroll pirate attack mitigation
Advisory/MitigationAbout this happening: **Microsoft** is urging defenders to harden **Microsoft 365** and related **HR workflows** against **AiTM**-driven payroll theft by requiring **phishing-resistant MFA**, blocking...
EvilTokens phishing-as-a-service operation expands device code phishing and BEC
Threat Actor Meta
First: 01.04.2026 22:42
Last: 01.04.2026 22:42
Sources 1
About this happening:
**EvilTokens** has been commercialized on **Telegram** as a continuously developed phishing-as-a-service kit, expanding **device code phishing** and **BEC** capabilities at scale....
EvilTokens phishing-as-a-service operation expands device code phishing and BEC
Threat Actor MetaAbout this happening: **EvilTokens** has been commercialized on **Telegram** as a continuously developed phishing-as-a-service kit, expanding **device code phishing** and **BEC** capabilities at scale....
ConsentFix browser-native OAuth consent phishing campaign
Campaign
First: 14.01.2026 17:01
Last: 14.01.2026 17:01
Sources 1
About this happening:
The **ConsentFix** campaign is a **ClickFix**-style **OAuth consent phishing** operation that hijacks **Microsoft accounts** by abusing the **Azure CLI OAuth app**. In the reporte...
ConsentFix browser-native OAuth consent phishing campaign
CampaignAbout this happening: The **ConsentFix** campaign is a **ClickFix**-style **OAuth consent phishing** operation that hijacks **Microsoft accounts** by abusing the **Azure CLI OAuth app**. In the reporte...
Timeline
-
25.03.2026 21:48 2 articles · 2mo ago
Kaspersky discloses Bubble-hosted Microsoft account phishing
Initial DisclosureKaspersky researchers describe threat actors abusing the no-code platform Bubble to generate and host malicious web apps under *.bubble.io in order to evade phishing detection while targeting Microsoft accounts. The malicious pages use large JavaScript bundles and Shadow DOM-heavy structures to avoid static and automated analysis, then redirect users to fake Microsoft login portals that are sometimes hidden behind a Cloudflare check. Credentials entered on the fraudulent pages can be stolen and used to access Microsoft 365 email, calendar, and other sensitive data.
Show sources
- Bubble AI app builder abused to steal Microsoft account credentials — www.bleepingcomputer.com — 25.03.2026 21:48
- Bubble AI app builder abused to steal Microsoft account credentials — www.bleepingcomputer.com — 25.03.2026 21:48