Bubble no-code platform exploited as phishing infrastructure to bypass Microsoft account security detection
Threat actors are abusing Bubble, a legitimate no-code app builder, to host credential-stealing phishing pages targeting Microsoft accounts whilst evading detection systems. The abuse of trusted platforms reduces security signal effectiveness and complicates credential compromise mitigation.
Affected
Threat actors have weaponised Bubble, a popular no-code application development platform, to generate and deploy malicious phishing applications at scale. By hosting credential-stealing pages on Bubble's infrastructure, attackers benefit from the platform's legitimate SSL certificates, established domain reputation, and general whitelisting across security filters. This approach significantly reduces detection friction compared to traditional attacker-controlled phishing domains, which security teams commonly flag based on domain age, registrar patterns, or SSL certificate metadata.
The technical mechanics involve creating seemingly legitimate login flows within Bubble applications that capture Microsoft account credentials (email and password) when victims interact with them. The platform's flexibility in hosting web applications with minimal friction allows rapid deployment and iteration. Victims likely arrive via social engineering, phishing emails, or credential stuffing campaigns, expecting to interact with a genuine Microsoft service. The Bubble infrastructure itself is not compromised; rather, threat actors are simply abusing the platform's intended functionality as hosting infrastructure, similar to how Google Sites, GitHub Pages, or other free hosting services have historically been misused.
Defenders face a compounded challenge here. Blocking Bubble entirely is operationally untenable for many organisations, as legitimate uses of the platform may exist. Email security tools and web gateways must contend with legitimate Bubble domains hosting malicious content, reducing the signal-to-noise ratio of domain-based reputation filtering. Microsoft account holders remain the primary target surface, suggesting either targeted campaigns or broad reconnaissance operations attempting to establish initial compromise for downstream lateral movement or account takeover.
Responsible parties should implement multi-layered detection: security teams should monitor for unusual Bubble subdomains in email traffic and browser access logs, enforce phishing-resistant authentication (FIDO2 hardware keys or passwordless sign-in) for sensitive accounts, and educate users on credential entry context (legitimate Microsoft logins should not occur outside official Microsoft domains). Bubble, for its part, should strengthen abuse reporting mechanisms, implement heuristic detection for credential collection patterns, and potentially restrict application templates that closely mimic known authentication flows.
This incident exemplifies a broader defensive shortfall: the conflation of platform legitimacy with application trustworthiness. As no-code and low-code platforms democratise application development, they simultaneously democratise attack infrastructure. Organisations must assume that any hosted platform can host malicious content and shift focus from infrastructure reputation to endpoint detection, user behaviour analysis, and credential hygiene.
Sources