Bubble AI app builder abused to steal Microsoft account credentials

Threat actors are exploiting a legitimate no-code app platform to bypass email security filters and redirect victims to fake Microsoft login pages.

What happened

Security researchers have identified a phishing campaign abusing Bubble, a no-code AI platform that lets users build and host web applications without writing code, to steal Microsoft account credentials. According to BleepingComputer, attackers are creating fraudulent apps on Bubble's infrastructure that redirect victims to fake Microsoft login pages, sometimes concealed behind a Cloudflare verification check designed to block automated security scanners. Because these apps are hosted on Bubble's legitimate domain, *.bubble.io, email security tools do not flag the links as suspicious. Any credentials entered on the fake login pages are sent directly to the attackers, who can then access email, calendar data, and other information tied to compromised Microsoft 365 accounts.

Going deeper

The campaign takes advantage of how Bubble generates app code. The platform produces large, intricate JavaScript bundles and Shadow DOM structures, which are isolated sections of web code that are difficult to inspect from the outside. These structures make it hard for both human analysts and automated security tools to identify malicious redirect logic hidden inside what appears to be a functional application. Researchers described the generated code as "a massive jumble of JavaScript and isolated Shadow DOM structures," noting that "even for an expert, it's difficult to grasp what's happening at first glance." Automated web analysis tools, they added, frequently conclude that the app is "just a functional, useful site." Researchers warned that this method is likely to be adopted by phishing-as-a-service (PhaaS) platforms, which are subscription-based criminal services that sell ready-made phishing tools to lower-tier attackers, and are integrated into phishing kits already capable of bypassing two-factor authentication, geo-fencing, and anti-analysis techniques.

What was said

Researchers described the obfuscation challenge posed by Bubble-generated code in their analysis, stating that "automated web-code analysis algorithms are even more likely to get tripped up, frequently reaching the verdict that this is just a functional, useful site." The findings were published in a report cited by BleepingComputer on March 25, 2026. BleepingComputer contacted Bubble for comment on the findings and any plans to strengthen anti-abuse protections, but they have not received a response at this time.

In the know

The abuse of legitimate platforms to harvest Microsoft credentials is a pattern running across multiple active campaigns. According to The Hacker News, a device code phishing campaign first identified on February 19, 2026, has targeted more than 340 Microsoft 365 organizations across the United States, Canada, Australia, New Zealand, and Germany. Device code phishing exploits a legitimate Microsoft authentication flow to generate access tokens that remain valid even after a victim resets their password. In that campaign, attackers wrapped malicious URLs inside redirect services from recognised security vendors to bypass spam filters before routing captured sessions through a separate cloud hosting platform. Healthcare, financial services, government, and nonprofits were among the sectors targeted. Researchers noted the technique is particularly difficult to detect because it routes through legitimate Microsoft infrastructure, giving users no visible indication that anything is wrong.

The big picture

Attackers are systematically moving away from obviously suspicious domains toward legitimate cloud platforms and app-building services, exploiting the default trust that email security tools extend to well-known infrastructure. According to The Hacker News, a separate campaign documented in January 2026 abused Google Cloud's Application Integration service to send phishing emails from a legitimate Google address, bypassing authentication checks entirely and directing victims to fake Microsoft login pages hosted on non-Microsoft domains. Researchers described the tactic as "misuse of legitimate cloud automation and workflow features to distribute phishing at scale without traditional spoofing." For healthcare organizations, the exposure is compounded by how heavily the sector depends on Microsoft 365. According to Paubox's 2026 Healthcare Email Security Report, Microsoft 365 is used by approximately 79 percent of healthcare organizations and accounted for 53 percent of breached organizations in 2025, up from 43 percent the previous year. The same report found that 31 percent of breached Microsoft 365 environments were classified as high risk, pointing to a persistent gap between what organizations pay for and how their security tools are actually configured.

FAQs

What is Bubble, and why is it being abused?

Bubble is a no-code AI platform that lets users build and host web applications without writing code. Attackers are exploiting it because apps hosted on Bubble's domain appear legitimate to email security filters, allowing phishing links to reach inboxes unchecked.

What is a Shadow DOM, and why does it complicate detection?

Shadow DOM is a browser feature that isolates sections of a web page's code from the rest of the document. When malicious redirect logic is embedded inside these structures, automated scanning tools often cannot inspect it properly and may classify the page as harmless.

What is phishing-as-a-service?

Phishing-as-a-service refers to criminal platforms that sell ready-made phishing tools, infrastructure, and templates to other attackers on a subscription basis. These platforms lower the technical skill required to launch sophisticated campaigns and are increasingly capable of bypassing multi-factor authentication.

What is an adversary-in-the-middle attack?

An adversary-in-the-middle (AiTM) attack intercepts a login session in real time, capturing both the user's credentials and their authentication session cookie. Attackers can then replay that session to access the account even if the victim has two-factor authentication enabled.

How can organizations reduce exposure to this type of attack?

Organizations should layer dedicated email security tools on top of platforms like Microsoft 365 rather than relying on default configurations alone. Monitoring for unusual login activity, enforcing conditional access policies, and ensuring DMARC is set to enforcement rather than monitor-only mode can reduce the risk of credential theft going undetected.