GoKawiilThreat actors are evading phishing detection in campaigns targeting Microsoft accounts by abusing the no-code app-building platform Bubble to generate and host malicious web apps.
Because the web app is hosted on a legitimate platform, email security solutions do not flag the link as a potential threat, allowing users to access the page.
Security researchers at Kaspersky say that threat actors are using the new method to redirect users to the actual phishing page, which is often mimicking a Microsoft login portal that is sometimes hidden behind a Cloudflare check.
Any credentials entered on these fake web pages are siphoned to the phishing actor, who may then use them to access email, calendar, and other sensitive data associated with Microsoft 365 accounts.
The Microsoft-themed phishing page
Source: Kaspersky
Bubble is a no-code AI-powered platform where users describe the app they want to build and then the platform automatically generates the backend logic and frontend.
The resulting apps are hosted on Bubble’s infrastructure under *.bubble.io, which is a trusted domain unlikely to trigger security warnings from email security solutions.
Phishing actors take advantage of this by creating Bubble apps that consist of large, complex JavaScript bundles and Shadow DOM-heavy structures, which are not flagged as redirection scripts or classified as malicious by static and automated analysis tools.
“The code generated by this no-code platform is a massive jumble of JavaScript and isolated Shadow DOM (Document Object Model) structures,” explains Kaspersky.
... continue reading