Security researchers have identified a clean and effective tactic for phishing campaigns to go unnoticed: to take advantage of code-free application creation platforms, such as Bubble, to build and host malicious pages that simulate Microsoft login portals. The report of the Kaspersky disimplies how this method exploits the trust that generates legitimate domains and the complexity of the code generated automatically.
Bubble is a platform that allows you to create non-code applications, relying on artificial intelligence to generate the interface and logic. The resulting applications are usually housed under the * .bubble.io domain, a space considered legitimate by many perimeter security solutions. This apparent legitimacy makes links included in malicious emails not automatically marked as dangerous, and so the user reaches a page that apparently does not raise suspicion.
The technique is not based solely on the use of a reliable domain. The attackers create applications with large JavaScript packages and Shadow DOM-based structures that, because of their complexity and isolation, are difficult to analyze both manually and automatically. This code scrawl can hide redirections and false forms intended to capture credentials, and in some cases the true supplanting page is presented after checks such as those made by Cloudflare, adding an additional layer of apparent legitimacy.
The real danger is that any data entered on those pages - user and password, and in some cases secondary codes or confirmations - ends up in the hands of criminals. With Microsoft 365 credentials, an attacker can access the mail, calendar and other corporate services, opening the door to financial fraud, filtration of sensitive information and side movements within an organization's network.
In addition, researchers warn that this form of evasion has all the cards to become a standard piece within phishing kits and physical-as- a- service platforms (PhaaS). These services already integrate techniques such as session cookies theft, "adversary-in-the-middle" layers that attempt to circumvent the authentication of two factors, geo-restrictions to select victims and anti-analysis tricks. By adding the ability to hide malicious pages in legitimate infrastructure, the effectiveness and scope of campaigns increase.
In this context, not everything is lost: prevention and awareness remain powerful tools. Confirm the actual URL before entering credentials, distrust links that arrive by mail even if they point to known domains, and use more robust authentication methods as security keys or Passkeys reduce the impact of this type of fraud. For organizations, activating and tuning protection mechanisms on platforms such as Microsoft 365 - including anti-phishing solutions and conditional access controls - is an additional barrier recommended by manufacturers.
If you want to deepen how these campaigns work and what measures the security agencies recommend, Kaspersky's reports and guides are a good starting point ( see analysis) and authorities such as the CISA or United Kingdom NCSC maintain practical recommendations for detecting and reporting phishing. Microsoft also publishes guides to protect Microsoft 365 environments and set up anti-phishing defenses in their technical documentation.
In parallel, non-code platform managers have an important challenge ahead of them: to balance the experience of creation and rapid deployment with stricter abuse controls. Some means, such as BleepingComputer they have tried to get Bubble's version of these findings, which highlights the need for coordinated responses between suppliers, safety communities and users so that the flexibility offered by these tools does not become an easy way for fraud.
In day-to-day, the best defense remains prudence: to look critically at unexpected emails, validate links before interacting, activate higher levels of verification and resort to official channels when something does not fit. The technique may change, but the routine of checking before trusting remains one of the most effective barriers to the theft of credentials.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...