Phishing Campaign Leverages Bubble No‑Code AI Builder to Harvest Microsoft 365 Credentials
What Happened – Threat actors are abusing the no‑code, AI‑powered app‑building platform Bubble ( *.bubble.io ) to host malicious web apps that mimic Microsoft login pages. The legitimate Bubble domain bypasses most email‑security and web‑filtering solutions, allowing credential‑stealing pages to reach users undetected.
Why It Matters for TPRM –
- Credential theft of Microsoft 365 accounts can give attackers footholds in downstream SaaS environments, exposing data across multiple vendors.
- Abuse of a trusted cloud‑hosted domain undermines traditional URL‑reputation controls, increasing the attack surface for all third‑party services that rely on Microsoft authentication.
- The technique is likely to be packaged into Phishing‑as‑a‑Service kits, amplifying risk for lower‑tier actors targeting any organization that uses Microsoft 365.
Who Is Affected – Enterprises across all sectors that rely on Microsoft 365 for email, calendar, and collaboration, especially those that integrate third‑party SaaS solutions.
Recommended Actions –
- Review and tighten URL‑filtering policies to include scrutiny of Bubble‑hosted domains.
- Enforce MFA and conditional access policies for all Microsoft 365 accounts.
- Monitor for anomalous sign‑ins and credential‑theft indicators (e.g., impossible travel, new device registrations).
- Engage with Bubble to understand their abuse‑prevention roadmap and consider restricting the use of Bubble‑generated apps for business processes.
Technical Notes – The malicious Bubble apps deliver large, obfuscated JavaScript bundles and Shadow DOM structures that evade static analysis. Phishing pages are often hidden behind Cloudflare checks, further masking their true intent. No specific CVE is involved; the attack exploits the trust placed in the Bubble hosting domain. Source: BleepingComputer