Security researchers have documented phishing campaigns that leverage Bubble—a no-code, AI-assisted app builder—to host intermediary web apps used in Microsoft account credential theft.

The key advantage for attackers is trust: Bubble-hosted apps live under a legitimate *.bubble.io domain, which is less likely to be blocked by email security tools. Researchers say the Bubble-generated code can be difficult for both humans and automated scanners to quickly interpret because it is packaged into large JavaScript bundles and Shadow DOM-heavy structures.

Reported flow:

- A victim clicks a Bubble-hosted link that looks benign to automated filters.

- The app redirects the victim to a phishing page (often Microsoft-themed), sometimes behind additional checks.

- Credentials entered are captured and can be used to access Microsoft 365 email and other data.

Defensive takeaways:

- Do not treat “hosted on a big platform” as a safety signal.

- Add browser-based phishing protections and enforce strong MFA with phishing-resistant methods (e.g., FIDO2/WebAuthn) where possible.

- Train users to verify domains carefully and report suspicious login prompts.