Phishing campaigns are evolving, and security researchers at **Kaspersky** have uncovered a new tactic: abusing the **Bubble** no-code app-building platform. This allows threat actors to generate and host malicious web applications designed to steal **Microsoft** account credentials. ### Bypassing Security Measures The key to this method's success lies in the legitimacy of the hosting platform. Because the phishing web app resides on a trusted *.bubble.io domain, email security solutions are less likely to flag the link as malicious, allowing unsuspecting users to access the page. These pages often mimic **Microsoft** login portals, sometimes hidden behind a **Cloudflare** check, adding another layer of deception. Any credentials entered on these fake web pages are immediately siphoned off to the attackers. This grants them unauthorized access to email, calendar data, and other sensitive information associated with **Microsoft 365** accounts.  ### How Bubble is Abused **Bubble** is an AI-powered, no-code platform that allows users to create applications by simply describing their desired functionality. The platform then automatically generates the backend logic and frontend code. Attackers are exploiting this by creating **Bubble** apps that consist of complex JavaScript bundles and Shadow DOM-heavy structures. These obfuscated structures make it difficult for static and automated analysis tools to identify malicious redirection scripts. "The code generated by this no-code platform is a massive jumble of JavaScript and isolated Shadow DOM (Document Object Model) structures," **Kaspersky** explains. "Even for an expert, it’s difficult to grasp what’s happening at first glance; you really have to dig through it to understand how it all works and what the purpose is."  ### Phishing-as-a-Service (PhaaS) Implications Researchers warn that this technique is likely to be adopted by PhaaS platforms and integrated into phishing kits. These kits already offer features like session cookie theft, adversary-in-the-middle (AiTM) layers to bypass two-factor authentication (2FA), geo-fencing, anti-analysis tricks, and AI-generated email content. The abuse of legitimate platforms like **Bubble** will only increase the stealth and effectiveness of these attacks. **BleepingComputer** has reached out to **Bubble** for comment but has not yet received a response. <a rel="noopener sponsored" href="https://hubs.li/Q043YRMg0"><img src="https://www.bleepstatic.com/c/p/red-report.jpg" data-src="https://www.bleepstatic.com/c/p/red-report.jpg" alt="tines"></a> ## <a rel="noopener sponsored" href="https://hubs.li/Q043YRMg0">Red Report 2026: Why Ransomware Encryption Dropped 38%</a> Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight. Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.