{"id":55488,"date":"2026-03-24T08:02:39","date_gmt":"2026-03-24T12:02:39","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=55488"},"modified":"2026-04-01T07:36:03","modified_gmt":"2026-04-01T11:36:03","slug":"bubble-no-code-phishing","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/bubble-no-code-phishing\/55488\/","title":{"rendered":"Bubble: a new tool for phishing scams"},"content":{"rendered":"

A variety of AI-powered app builders promise to bring your ideas to life quickly and effortlessly. Unfortunately, we know exactly who\u2019s always on the lookout for new ideas to bring to life \u2014 mostly because we\u2019re rather good at spotting and blocking their old ones. We\u2019re talking about phishers, of course. Recently, we discovered they\u2019ve added a new trick to their arsenal: generating websites using the Bubble<\/a> AI-powered web-app builder. It\u2019s highly likely that this tactic is now available through one or more phishing-as-a-service platforms, which virtually guarantees these decoys will start appearing in a wide range of attacks. But let\u2019s break this down step-by-step.<\/p>\n

Why are phishers using Bubble?<\/h2>\n

Including a direct link to a phishing site in an email is a one-way ticket to failure. There\u2019s a high probability the message won\u2019t even reach its destination, as security filters will likely block it before a user ever sees it. Similarly, using automated redirects has long been a major red flag for modern security solutions. What about QR codes? While having a victim scan a code with their phone instead of clicking a link might work in theory, phishers inevitably lose traffic at that step \u2014 not everyone is willing to enter corporate credentials on a personal device. This is where automated code-generation services come to the rescue for the cybercriminals.<\/p>\n

Bubble positions itself as a no-code platform for developing web and mobile applications. Essentially, a user describes what they need through a visual interface, and the platform generates a finished solution. Phishers have adopted this technology to create web apps whose addresses they then embed in their phishing emails. While the actual function of these apps boils down to the same old automated redirect to a malicious site, there are a couple of specific nuances at play.<\/p>\n

First, the resulting web application is hosted directly on the platform\u2019s servers. The URL ready for use in a phishing email looks something like https:\/\/%name%.bubble.io\/.<\/em> From the perspective of security solutions, this appears to be a legitimate, long-standing site.<\/p>\n

Second, the code for this web application doesn\u2019t look like a typical redirect. To be honest, it\u2019s hard to say what it looks like. The code generated by this no-code platform is a massive jumble of JavaScript and isolated Shadow DOM (Document Object Model) structures. Even for an expert, it\u2019s difficult to grasp what\u2019s happening at first glance; you really have to dig through it to understand how it all works and what the purpose is. Automated web-code analysis algorithms are even more likely to get tripped up, frequently reaching the verdict that this is just a functional, useful site.<\/p>\n

\"A<\/a>

A code fragment of a web application hosted on the Bubble platform<\/p><\/div>\n

What are these phishing platforms, and what is the end goal?<\/h2>\n

Today\u2019s phishers rarely develop and implement new tricks from scratch. Most use phishing kits \u2014 essentially DIY builders for launching fraudulent schemes \u2014 or even full-scale phishing-as-a-service platforms.<\/p>\n

These platforms provide attackers with a sophisticated (and highly frustrating) toolkit that\u2019s constantly evolving to improve email delivery and bypass anti-phishing defenses. For example, these tools allow attackers, among many other things, to do the following: intercept session cookies; conduct phishing through Google Tasks<\/a> (a tactic we covered in a previous post); execute adversary-in-the-middle (AiTM) attacks to validate two-factor authentication (2FA) and bypass it in real time; create phishing sites equipped with honeypots and geofencing to hide from security crawlers; and use AI assistants to generate unique phishing emails. To make matters worse, the infrastructure for these platforms is usually hosted on perfectly legitimate services like AWS, making their tactics even harder to spot.<\/p>\n

The same platforms are used to make the final destination page that harvests credentials. In this specific case, the web app hosted on Bubble redirects victims to a site \u2014 complete with a Cloudflare verification check \u2014 that mimics a Microsoft sign-in window.<\/p>\n

\"Phishing<\/a>

Phishing form designed to harvest corporate credentials<\/p><\/div>\n

Apparently, in the attackers\u2019 parallel universe, Skype is still a viable communication tool, but otherwise, the site looks remarkably convincing.<\/p>\n

How to protect your company from sophisticated phishing attacks<\/h2>\n

In today\u2019s digital landscape, employees need to clearly understand that corporate credentials should only be entered on services and websites that undeniably belong to the company. You can raise your team\u2019s awareness of modern cyberthreats using Kaspersky Automated Security Awareness Platform<\/a> for online training.<\/p>\n

Of course, even the most cautious employee might occasionally take the bait. We recommend equipping all internet-connected workstations with robust security solutions<\/a> that\u2019ll simply block any attempt to visit a malicious site. Finally, to cut down on the number of dangerous emails cluttering up corporate inboxes in the first place, we suggest deploying a gateway security product with advanced anti-phishing technologies<\/a>.<\/p>\n\n","protected":false},"excerpt":{"rendered":"

Cybercriminals are now deploying web applications generated by Bubble, an AI-powered app builder, to hunt for corporate credentials.<\/p>\n","protected":false},"author":2598,"featured_media":55491,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3051,3052],"tags":[1140,19,76],"class_list":{"0":"post-55488","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"category-smb","10":"tag-ai","11":"tag-email","12":"tag-phishing"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/bubble-no-code-phishing\/55488\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/bubble-no-code-phishing\/31959\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/bubble-no-code-phishing\/30565\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/bubble-no-code-phishing\/41581\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/bubble-no-code-phishing\/14411\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/bubble-no-code-phishing\/23760\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/bubble-no-code-phishing\/33328\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/bubble-no-code-phishing\/30449\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/phishing\/","name":"phishing"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/55488","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2598"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=55488"}],"version-history":[{"count":4,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/55488\/revisions"}],"predecessor-version":[{"id":55536,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/55488\/revisions\/55536"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/55491"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=55488"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=55488"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=55488"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}