Kaspersky researchers have uncovered a sophisticated phishing method that exploits Bubble one of the world’s most widely used no‑code application builders to bypass traditional security controls and deliver highly convincing credential‑harvesting attacks.
Bubble enables developers to build applications through a visual interface without writing code. That same ease of use is now being weaponised by cybercriminals. According to Kaspersky, attackers are generating intermediary web applications directly on Bubble’s trusted infrastructure, using domains such as *.bubble.io to make phishing links appear legitimate and evade automated detection systems.
Unlike traditional phishing attempts that redirect users through suspicious URLs or malicious scripts, these Bubble‑hosted applications act as stealth redirectors, silently forwarding unsuspecting victims to carefully crafted fake login portals. In the observed campaign, victims were ultimately taken to a fraudulent Microsoft login page protected behind a Cloudflare verification screen making the malicious activity even harder to identify.
“The use of legitimate platforms like Bubble introduces a new level of trust abuse, making it harder for both users and automated systems to distinguish between safe and malicious content.”
— Roman Dedenok, Anti‑Spam Expert, Kaspersky
A New Layer in Phishing-as-a-Service (PhaaS)
Kaspersky warns that this technique is likely being integrated into modern Phishing‑as‑a‑Service platforms, which already offer extensive capabilities including:
- Real‑time interception of authentication session cookies
- Adversary‑in‑the‑Middle (AiTM) attacks capable of bypassing MFA
- AI‑generated phishing emails
- Geo‑filtering and anti‑crawler logic
- Hosting on legitimate cloud services such as AWS to avoid blacklisting
These advanced kits allow even low‑skill attackers to run professional‑grade phishing operations, dramatically increasing the scale and sophistication of cybercrime campaigns.
Trusted Platforms Becoming Attack Vectors
Kaspersky’s Roman Dedenok said the abuse of trusted no‑code platforms represents a worrying trend. By leveraging legitimate services that are widely whitelisted in enterprise environments, attackers can camouflage malicious activity within normal traffic patterns—raising the risk of corporate credential theft and unauthorized access.
Kaspersky’s Recommendations
To protect against this evolving threat, Kaspersky advises organizations to:
- Educate employees about entering credentials only on verified internal platforms
- Deploy security tools that can detect suspicious redirects and unknown phishing destinations
- Strengthen email gateway defenses with advanced anti‑phishing capabilities
- Incorporate fresh threat intelligence into security operations
As no‑code platforms continue to reshape software development, their misuse by attackers highlights the growing challenge of trust abuse where legitimate tools become conduits for increasingly deceptive cyberattacks.
