Cybersecurity specialists Kaspersky say they have discovered a new phishing tactic used to evade traditional security controls – one that exploits Bubble, a platform that allows users to build Web and mobile applications through a visual interface without writing code.
Attackers are increasingly adopting innovative tools designed for legitimate software development and repurposing them to boost phishing campaigns, the company says.
Traditional phishing attacks often rely on malicious links or obvious redirection techniques which are typically flagged and blocked by modern security systems. However, attackers are now leveraging Bubble’s no-code environment to generate intermediary Web applications which are hosted on Bubble’s legitimate infrastructure and trusted domains such as *.bubble.io, which improves their credibility and helps them bypass security filters. These applications function as disguised redirectors, silently forwarding victims to malicious credential-harvesting websites.
In the observed campaign, victims were ultimately redirected to a convincing imitation of a Microsoft login page, protected by a Cloudflare verification layer designed to further obscure malicious intent.
This technique is likely being integrated into broader phishing-as-a-service (PhaaS) platforms and phishing kits.
These kits enable a wide range of malicious capabilities with ready-made tools including realtime interception of session cookies, driving phishing campaigns through legitimate services such as Google Tasks and Google Forms, and carry out adversary-in-the-middle (AiTM) attacks that can bypass multi-factor authentication.
They also support the generation of phishing emails using AI, implement geo-filtering and anti-detection mechanisms to evade security crawlers and are often hosted on reputable cloud services like AWS to avoid blacklisting.
“The use of legitimate platforms like Bubble introduces a new level of trust abuse making it harder for both users and automated systems to distinguish between safe and malicious content,” says Roman Dedenok, anti-spam expert at Kaspersky. “This significantly increases the likelihood of credential theft, unauthorised access and potential data breaches.”
To be protected, Kaspersky recommends:
- Educate employees so that they understand that corporate credentials should only be entered on verified, official company platforms.
- Deploy robust security solutions to block access to known and suspicious phishing destinations.
- Implement advanced anti-phishing technologies at the email gateway to reduce exposure to malicious messages.
- Stay updated on evolving attacker techniques and integrate threat intelligence into security operations.