Threat actors are evading phishing detection by building and hosting malicious web apps on the no-code platform Bubble to target Microsoft accounts. Because Bubble apps live on the trusted *.bubble.io domain and use complex JavaScript and Shadow DOM that defeat automated analysis, links often bypass email security and allow credentials entered on fake Microsoft login pages to be stolen. #Bubble #Microsoft365
Keypoints
- Actors host phishing pages on Bubbleβs *.bubble.io domain to bypass email security filters.
- Generated apps use massive JavaScript bundles and Shadow DOM to mask redirection and malicious behavior.
- Phishing pages mimic Microsoft login portals and may be hidden behind Cloudflare checks to appear legitimate.
- Stolen credentials give attackers access to Microsoft 365 services like email and calendar.
- Researchers warn PhaaS platforms and phishing kits will adopt no-code platform abuse, increasing campaign stealth.