[{"data":1,"prerenderedAt":130},["ShallowReactive",2],{"article-slug-kaspersky-uncovers-phishing-technique-abusing-no-code-platform-bubble":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":31,"sources":32,"events":54,"mitre_techniques":55,"mitre_mitigations":71,"d3fend_countermeasures":94,"iocs":95,"cyber_observables":96,"tags":113,"extract_datetime":117,"article_type":118,"impact_scope":119,"pub_date":36,"reading_time_minutes":129,"createdAt":117,"updatedAt":117},"58139847-f5e2-4a5e-bedf-c65fe15b8d3b","kaspersky-uncovers-phishing-technique-abusing-no-code-platform-bubble","Phishers Abuse No-Code Platform 'Bubble' to Bypass Email Security Filters","Kaspersky Uncovers Novel Phishing Technique Abusing Legitimate No-Code Platform Bubble.io for Credential Harvesting","Security researchers at Kaspersky have identified a novel phishing technique that abuses the legitimate no-code development platform, Bubble.io. Attackers are creating malicious web applications on the platform that act as redirectors. Because these apps are hosted on Bubble's trusted domain (*.bubble.io), they are more likely to bypass email security filters that block links to known malicious sites. Phishing emails, often targeting Microsoft 365 users, contain a link to the Bubble-hosted app, which then forwards the victim to a credential harvesting page. This 'trust abuse' tactic makes it harder for both users and automated defenses to spot the attack, and is expected to be adopted by Phishing-as-a-Service (PhaaS) operators.","## Executive Summary\nCybercriminals are exploiting the legitimate no-code platform **[Bubble.io](https://bubble.io/)** to create malicious applications that serve as redirectors in sophisticated phishing campaigns. According to research from **[Kaspersky](https://www.kaspersky.com)**, this technique allows attackers to host their initial phishing link on a trusted domain (`*.bubble.io`), significantly increasing the likelihood of bypassing email security gateways. The phishing emails typically impersonate well-known services like **[Microsoft 365](https://www.microsoft.com/en-us/microsoft-365)**, luring victims to click a link that leads to the Bubble-hosted application. This app then silently redirects the user to a final credential harvesting page. This abuse of a legitimate platform's reputation represents a growing trend in phishing and is difficult to defend against, as blocking the entire `bubble.io` domain would disrupt legitimate business applications.\n\n---\n\n## Threat Overview\nThis phishing technique is a form of 'trust abuse'. Attackers are not hacking Bubble's platform; they are using its features as intended to build a simple application. However, the application's sole purpose is malicious. The attack chain is as follows:\n\n1.  **Email Delivery:** A user receives a phishing email, often appearing as a notification from Microsoft 365, with a call to action (e.g., 'Review Document', 'Verify Account').\n2.  **Initial Click:** The link in the email points to a URL like `[malicious-app-name].bubble.io`.\n3.  **Redirection:** Because `bubble.io` is a reputable domain, email filters are less likely to block the link. When the user visits the page, the Bubble-hosted app uses JavaScript or an HTML meta refresh to automatically redirect the browser to a different, attacker-controlled website.\n4.  **Credential Harvesting:** The final destination is a pixel-perfect replica of a legitimate login page (e.g., Microsoft 365). The user, having been passed through a trusted domain, may be less suspicious and enter their credentials, which are then captured by the attacker.\n\nThis method is an evolution of open redirect abuse and is particularly effective against security solutions that rely heavily on domain reputation for filtering.\n\n## Technical Analysis\nThe core of the technique is the abuse of the platform's functionality. Attackers sign up for a Bubble account and create a one-page application. Within this page, they embed a simple piece of JavaScript code or an HTML tag to perform the redirection. \n\nExample JavaScript for redirection:\n```javascript\nwindow.location.replace(\"http://malicious-phishing-site.com\");\n```\n\nThis is a classic example of [`T1566.002 - Spearphishing Link`](https://attack.mitre.org/techniques/T1566/002/) combined with [`T1204.001 - Malicious Link`](https://attack.mitre.org/techniques/T1204/001/). The use of a legitimate service as an intermediary is a defense evasion technique ([`T1127.001 - Trusted Developer Utilities Proxy Execution`](https://attack.mitre.org/techniques/T1127/001/)). Kaspersky researchers note that this tactic will likely be integrated into Phishing-as-a-Service (PhaaS) kits, which would automate the creation of these Bubble redirector apps and scale the attack to a massive level.\n\n## Impact Assessment\n*   **Increased Phishing Success Rate:** By bypassing automated filters, more phishing emails reach user inboxes, increasing the chances of a successful compromise.\n*   **Credential Theft:** The primary impact is the theft of user credentials, particularly for high-value targets like Microsoft 365 accounts, which can lead to Business Email Compromise (BEC), data breaches, and further internal phishing.\n*   **MFA Bypass:** Many PhaaS kits that could adopt this technique also include Adversary-in-the-Middle (AiTM) capabilities to steal session cookies and bypass multi-factor authentication.\n*   **Damage to Platform Reputation:** Legitimate platforms like Bubble suffer reputational damage when their services are abused for malicious purposes, and they must expend resources to identify and shut down the malicious applications.\n\n## Cyber Observables for Detection\n| Type | Value | Description | Context | Confidence |\n|---|---|---|---|---|\n| url_pattern | `*.bubble.io` | While not inherently malicious, a sudden influx of emails with links to this domain could be an indicator of a campaign. | Email gateway logs, web proxy logs. | low |\n| log_source | `Web Proxy Logs` | Look for a pattern of users being quickly redirected from a `bubble.io` URL to a completely different, often newly registered, domain. | SIEM correlation of proxy logs. | medium |\n| string_pattern | `window.location.replace` | In an email context, URLs that lead to pages with immediate JavaScript redirects are suspicious. | Advanced email sandboxing, URL analysis tools. | high |\n\n## Detection & Response\n1.  **URL Analysis:** Use email security solutions that can 'detonate' URLs in a sandbox to follow the full redirect chain and analyze the final landing page for phishing indicators. Simple domain reputation is not enough.\n2.  **User Training:** This is a critical defense. Train users to be suspicious of any login request and to manually verify the domain in the address bar of the final login page before entering credentials. They should be taught that even if the initial link seems legitimate, the final destination is what matters.\n3.  **Report Abuse:** Security teams and users should report malicious Bubble applications to the platform so they can be taken down.\n\n## Mitigation\n*   **Enhanced Email Security:** Deploy advanced email security solutions that perform deep URL analysis and sandboxing, rather than just relying on blocklists. This aligns with [`D3-UA: URL Analysis`](https://d3fend.mitre.org/technique/d3f:URLAnalysis).\n*   **Phishing-Resistant MFA:** The most effective technical control against credential phishing is the use of phishing-resistant MFA, such as FIDO2 security keys. This prevents credential theft even if a user is tricked into visiting the malicious site ([`M1032 - Multi-factor Authentication`](https://attack.mitre.org/mitigations/M1032/)).\n*   **Browser Security:** Use browser security extensions or DNS filtering services that maintain blocklists of known phishing landing pages, providing a last line of defense if the user clicks the link.\n*   **User Awareness:** Continuously train users on how to spot phishing attacks, emphasizing the importance of checking the final URL before entering credentials and being wary of unexpected requests.","A new phishing trick abuses the legitimate no-code platform Bubble to bypass security filters. Attackers host redirector apps on the trusted domain to lead victims to credential harvesting sites. 🎣 #Phishing #CyberSecurity #Kaspersky #Bubble","Kaspersky researchers have found a new phishing technique where attackers abuse the Bubble.io no-code platform to host redirectors on a trusted domain, helping them bypass email security to steal credentials.",[13,14,15],"Phishing","Threat Intelligence","Cloud Security","medium",[18,22,25,28],{"name":19,"type":20,"url":21},"Kaspersky","vendor","https://www.kaspersky.com",{"name":23,"type":24},"Bubble.io","product",{"name":26,"type":24,"url":27},"Microsoft 365","https://www.microsoft.com/en-us/microsoft-365",{"name":29,"type":20,"url":30},"Cloudflare","https://www.cloudflare.com/",[],[33,39,45,49],{"url":34,"title":35,"date":36,"friendly_name":37,"website":38},"https://www.itnewsafrica.com/2026/04/kaspersky-warns-of-a-new-phishing-technique/","Kaspersky Warns of a New Phishing Technique","2026-04-01","IT News Africa","itnewsafrica.com",{"url":40,"title":41,"date":42,"friendly_name":43,"website":44},"https://www.techradar.com/pro/security/this-popular-app-builder-is-being-abused-to-trick-users-heres-what-we-know","This popular app builder is being abused to trick users - here's what we know","2026-03-31","TechRadar Pro","techradar.com",{"url":46,"title":47,"date":42,"friendly_name":19,"website":48},"https://www.kaspersky.com/blog/bubble-phishing-scams/49887/","Bubble's role in phishing scams","kaspersky.com",{"url":50,"title":51,"date":42,"friendly_name":52,"website":53},"https://riskybiznews.substack.com/p/risky-biz-news-russia-to-use-custom","Risky Biz News: Russia to use custom crypto-algorithm for its 5G network","Risky Biz News","riskybiznews.substack.com",[],[56,60,64,68],{"id":57,"name":58,"tactic":59},"T1566.002","Spearphishing Link","Initial Access",{"id":61,"name":62,"tactic":63},"T1127.001","Trusted Developer Utilities Proxy Execution","Defense Evasion",{"id":65,"name":66,"tactic":67},"T1204.001","Malicious Link","Execution",{"id":69,"name":58,"tactic":70},"T1598.003","Reconnaissance",[72,77,85],{"id":73,"name":74,"description":75,"domain":76},"M1017","User Training","Train users to inspect the final URL in the browser's address bar before entering credentials and to be suspicious of redirects.","enterprise",{"id":78,"name":79,"d3fend_techniques":80,"description":84,"domain":76},"M1032","Multi-factor Authentication",[81],{"id":82,"name":79,"url":83},"D3-MFA","https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication","Deploy phishing-resistant MFA (e.g., FIDO2) to protect accounts even if credentials are stolen.",{"id":86,"name":87,"d3fend_techniques":88,"description":93,"domain":76},"M1021","Restrict Web-Based Content",[89],{"id":90,"name":91,"url":92},"D3-UA","URL Analysis","https://d3fend.mitre.org/technique/d3f:URLAnalysis","Use advanced email security gateways that can follow redirect chains and analyze the content of the final landing page.",[],[],[97,102,107],{"type":98,"value":99,"description":100,"context":101,"confidence":16},"url_pattern","bubble.io/site/","Links containing this pattern that lead to immediate redirection are suspicious. Legitimate Bubble apps usually have more complex paths.","Web proxy logs, email link analysis.",{"type":103,"value":104,"description":105,"context":106,"confidence":16},"string_pattern","meta http-equiv=\"refresh\"","The HTML source of the initial landing page may contain a meta refresh tag for redirection, an alternative to JavaScript.","URL sandboxing, dynamic analysis of web pages.",{"type":108,"value":109,"description":110,"context":111,"confidence":112},"log_source","Email Gateway Logs","Monitor for a high volume of emails from different senders all pointing to various subdomains of `bubble.io`.","SIEM correlation of email logs.","low",[13,19,23,26,114,115,116],"Credential Harvesting","Trust Abuse","PhaaS","2026-04-01T15:00:00.000Z","Analysis",{"geographic_scope":120,"industries_affected":121,"other_affected":127},"global",[122,123,124,125,126],"Technology","Finance","Healthcare","Retail","Education",[128],"Microsoft 365 users",5,1775141534221]