- Cybercriminals abuse Bubble.io no-code platform to host phishing apps
- Trusted domain bypasses email security, tricking victims into Microsoft 365 credential theft
- Kaspersky warns technique likely to spread via Phishing-as-a-Service kits, making attacks more dangerous
Cybercriminals have been seen abusing a legitimate AI app builder platform to bypass email security protections and land phishing emails directly into people’s inboxes.
Security researchers Kaspersky flagged the affected program is Bubble.io, a no-code visual programming platform which allows users to create entire web and mobile apps without writing a single line of code. However this means hackers could also use the drag-and-drop editor, or an AI chatbot, to generate complex JavaScript and frontend structure, embed malicious functionality, and host the website on the bubble.io domain.
Then, they would send phishing emails to their victims, targeting their Microsoft 365 accounts. The emails would contain a link to the Bubble-hosted app, and since it is hosted on a trusted domain, email security solutions don’t flag it and the message lands into the inbox.
Kaspersky predicts a bright future for the dark technique
The apps themselves often mimic a Microsoft login portal hidden behind a Cloudflare check. Victims that don’t spot the trick will end up sharing their login credentials with the attackers, which can then use the access to target organizations, steal data, or deploy ransomware.
Given the novelty and the success of this method, Kaspersky believes it is bound to become a lot more popular in the near future. The researchers speculate that many Phishing-as-a-Service (PhaaS) providers will soon start integrating this technique into their phishing kits, especially those used by less-skilled, newbie criminals.
Such platforms are already quite advanced, and capable of stealing 2FA codes in-transit, defend against analysis through geo-fencing and other methods, and use AI to generate convincing email copy.
By abusing legitimate platforms such as Bubble, the platforms will only get better and more dangerous. It is also worth mentioning that abusing legal businesses is not a new method by any means - we’ve seen PayPal, Google Tasks, Microsoft Azure Monitor alerts, and many other features used in this respect before.
"We are aware of reports that bad actors have attempted to misuse Bubble-hosted applications as part of phishing campaigns," the company told TechRadar Pro in a statement.
"Bubble's platform has not been breached, no infrastructure has been compromised. This is a case of cybercriminals exploiting a legitimate platform, a technique commonly used against many major services. We have proactive safeguards in place to prevent and address this kind of abuse, take swift action when violations are flagged, and are continuing to invest in protections for our community."
Via BleepingComputer
