Bubble AI App Builder Abused to Steal Microsoft Account Credentials

Bubble’s rise as an AI‑driven, no‑code development environment has unintentionally created a fertile ground for cybercriminals. The platform’s core promise—auto‑generating full‑stack applications from plain language prompts—produces complex JavaScript bundles and Shadow DOM layers that appear legitimate to automated scanners. Because the final product is hosted on Bubble’s own subdomains, security gateways that rely on reputation‑based blocking treat the links as safe, allowing phishing pages to slip past traditional email filters and web gateways.

The impact on Microsoft 365 ecosystems is significant. Attackers craft pages that replicate the familiar Microsoft sign‑in experience, often concealed behind Cloudflare’s challenge pages to further mask malicious intent. When victims enter credentials, the data is funneled directly to threat actors, enabling unauthorized access to email, calendar, and other enterprise resources. Kaspersky’s observation that this technique is likely to be packaged into Phishing‑as‑a‑Service offerings suggests a democratization of sophisticated evasion tactics, lowering the barrier for lower‑tier criminals to launch high‑impact credential‑harvesting campaigns.

Defending against this emerging threat requires a shift from domain‑centric controls to behavior‑based detection. Organizations should augment email security with real‑time URL analysis that inspects page content and JavaScript behavior, even on trusted domains. Meanwhile, SaaS providers like Bubble must implement stricter abuse monitoring, such as automated scanning for phishing templates and rapid takedown processes. Collaboration between platform operators, security vendors, and enterprise defenders will be essential to curb the abuse of legitimate development tools for malicious ends.