No-code app builder phishing has emerged as a serious threat to enterprise and government users. Bubble.io, a visual programming platform designed to help developers build full-stack applications without writing code, is being systematically abused by threat actors to host convincing phishing sites that steal Microsoft account credentials, including usernames, passwords, and multi-factor authentication codes.
Key Takeaways
- Bubble.io attackers deploy realistic Microsoft login page clones using the platform’s free tier, requiring no payment or technical expertise.
- Phishing lures use Bubble.io’s native .bubbleapps.io subdomains or custom domains themed around Microsoft account recovery and security alerts.
- Campaign targets include government agencies, enterprises, and individual users, with attacks detected as early as January 2026.
- Independent audits found security issues in over 11,026 Bubble apps, with 99% of custom domain apps vulnerable to abuse.
- Bubble’s built-in security tools protect user-created apps but do not prevent malicious new app creation on the platform.
Why Bubble.io Became a Phishing Hotbed
Bubble.io’s ease of use is precisely what makes it attractive to both legitimate developers and criminals. The platform requires no coding knowledge—attackers can rapidly deploy realistic phishing applications using drag-and-drop interfaces and pre-built components. Because the free tier is unrestricted, threat actors face zero financial barriers to launching campaigns at scale. A convincing Microsoft login form hosted on a Bubble app looks legitimate to victims, especially when distributed via email, SMS, or malvertising campaigns that direct users to the fake login page.
The phishing sites are particularly effective because they leverage Bubble.io’s dynamic app capabilities, allowing attackers to build forms that capture and transmit stolen credentials in real time. Victims see a familiar Microsoft branding, enter their login details, and receive a plausible error message—all while their credentials are harvested by the attacker. The platform’s subdomains and custom domain support make it trivial to register domains that mimic legitimate Microsoft services.
The Scale of the Problem: What Security Audits Revealed
Independent security researchers have documented the scope of abuse. A comprehensive audit of over 11,026 Bubble applications revealed widespread security issues, with custom domain apps showing vulnerability rates exceeding 99%. While Bubble.io provides a Security Dashboard for vulnerability scans, privacy checks, and error tracking, these tools focus on protecting the internal security of user-created applications—not on preventing the platform from being weaponized for phishing in the first place.
The gap is stark: Bubble’s security infrastructure protects developers building legitimate apps from vulnerabilities within their own code. It does nothing to stop a bad actor from creating a new phishing app from scratch. This represents a fundamental tension in no-code platforms—ease of access that benefits legitimate users also enables rapid malicious deployment. Other no-code builders like Adalo and Glide have reported lower abuse rates, likely due to smaller user bases or stricter hosting policies, but the problem is not unique to Bubble.
No-Code App Builder Phishing in the Broader Threat Landscape
The rise of no-code platform abuse coincides with escalating nation-state activity. In January 2026, Russian APT28 (COVENANT) was observed using Bubble.io phishing campaigns alongside exploits for a recently patched Microsoft Office vulnerability (CVE-2026-21509) in coordinated attacks against government and enterprise targets in Ukraine and the European Union. This convergence signals a strategic shift: attackers are combining zero-day exploits with low-friction phishing infrastructure to maximize their chances of successful compromise.
Bubble.io phishing represents an evolution from older tactics using compromised WordPress sites or Google Sites for hosting fake login pages. The dynamic capabilities of no-code platforms allow attackers to build more sophisticated lures—real-time credential validation, conditional logic for follow-up phishing stages, and integration with external services. For defenders, this means that traditional URL reputation lists and domain blocklists are less effective; a Bubble app can be created, used for a campaign, and abandoned within hours.
What Bubble.io Users Should Do Now
Organizations relying on Bubble.io for legitimate applications should audit their deployments for exposure. If your app handles sensitive data, review Bubble’s Security Dashboard for reported vulnerabilities and ensure you are using custom domains with proper SSL certificates. For individual users, the risk is more straightforward: never click links in unsolicited emails or messages claiming to be from Microsoft. If you receive a suspicious login prompt, navigate directly to microsoft.com in your browser rather than following a link. Enable multi-factor authentication on all Microsoft accounts; even if credentials are stolen, MFA codes are harder to intercept.
Bubble.io itself faces pressure to implement platform-level moderation. The company’s current approach relies on user reports and reactive takedowns, which lag behind the speed of attack campaigns. Stricter vetting of new apps, rate limiting on app creation, or mandatory abuse reporting could slow attackers—though these measures would add friction for legitimate developers.
Is Bubble.io safe to use for legitimate app development?
Yes, Bubble.io is safe for building legitimate applications if you follow security best practices. The platform’s security tools help you identify vulnerabilities in your own code. The risk is not to developers using the platform responsibly—it is to end users targeted by phishing campaigns hosted on Bubble. Attackers abuse the platform, not the other way around.
How can I tell if a Microsoft login page is fake?
Check the URL carefully. Legitimate Microsoft login pages use domains like login.microsoftonline.com or account.microsoft.com. If the URL contains unfamiliar subdomains like .bubbleapps.io or a misspelled domain, it is a phishing lure. Hover over links before clicking. When in doubt, navigate directly to Microsoft’s website by typing the URL into your browser rather than following a link.
What should I do if my Microsoft account was compromised in a phishing attack?
Change your password immediately and review your account activity for unauthorized access. Enable or strengthen multi-factor authentication. Check your recovery email and phone number to ensure they have not been changed by the attacker. Monitor your account for suspicious sign-ins and consider enabling security alerts for future login attempts.
The Bubble.io phishing campaign exposes a fundamental challenge in the no-code economy: platforms designed to democratize app development are equally accessible to threat actors. Until Bubble.io and similar platforms implement stronger abuse prevention at the infrastructure level, users must remain vigilant. For security teams, the lesson is clear—no-code platforms are now a vector for enterprise phishing, and that risk belongs in your threat model.
Edited by the All Things Geek team.
Source: TechRadar
