App Builder Bubble.io Used in Phishing Campaigns

Bubble.io, a no-code app builder popular with startups and makers, is being leveraged in sophisticated phishing campaigns that target Microsoft account credentials. Threat actors are creating seemingly legitimate pages on the platform to trick users into entering sign-in details, according to recent security reporting.

Because Bubble lets people rapidly deploy web apps without deep development expertise, attackers can spin up convincing login forms and hosting environments that appear trustworthy. The phishing lures reportedly emulate Microsoft sign-in interfaces and may be delivered via email or shared links, increasing the chance that recipients will follow through and enter sensitive information.

Security researchers note the campaigns are notable for their level of polish: pages hosted on Bubble can use real SSL certificates and custom domains, which lowers the visual cues users typically rely on to detect scams. That said, the underlying tactic remains credential harvesting—once attackers collect Microsoft account credentials, they can attempt access to email, cloud services, or other linked resources.

Practical advice for users and organizations includes checking the actual domain of any login prompt, enabling multi-factor authentication (MFA) on accounts, and avoiding authentication through links received in unsolicited messages. Administrators should monitor for suspicious OAuth grants and unusual sign-in patterns, and consider blocking known malicious domains or implementing conditional access policies.

Bubble.io has not been directly compromised; rather, its platform is being used as a hosting vehicle by malicious actors. Platform providers and security teams will likely need to increase detection of abusive app creation and improve takedown coordination to reduce the platform’s misuse.