Cybercriminals used a trusted app builder to create fake Microsoft login pages and steal user data. Here’s how the attack works and why safe-looking links still put your accounts at risk.
Table of Contents
What Happened
These pages are designed to look like real Microsoft 365 sign-in screens. When users enter their credentials, attackers capture their login details.
Importantly, this is not a data breach — attackers didn’t hack the platform. Instead, they are using a legitimate tool to carry out the scam.
How This Attack Happened
Attackers use Bubble.io to create pages that closely copy the real Microsoft 365 login screen — same layout, logo, and fields.
Bubble automatically hosts these pages on its own domain (for example, login-check.bubble.io). Because this is a real and trusted domain, email filters often treat the link as safe and the messages go straight to the inbox.
Attackers then send emails that look like Microsoft alerts (for example, “unusual sign-in” or “account needs verification”) and include a link to the fake page.
Sometimes they add a fake “security check” screen before the login page to make the process feel more official and reduce suspicion.
When users click the link and enter their details, the attackers collect data instantly.
How Users Could Be Affected
If you click the link and enter their login details, attackers can gain access to their Microsoft 365 account.
This can lead to:
- stolen emails and sensitive data
- account takeover
- further attacks on coworkers, family members, or organizations
- potential financial fraud or ransomware incidents
More advanced versions of this attack can even steal two-factor authentication (2FA) codes.
What Bubble Says
Bubble.io responded to the reports, saying:
“We are aware of reports that bad actors have attempted to misuse Bubble-hosted applications as part of phishing campaigns.”
The company said it has safeguards to stop abuse, takes action when needed, and keeps improving protection for users.
Why This Phishing Method Will Spread Quickly
Researchers warn that this scam trick is likely to become more common — and the trend proves it.
At the same time, platforms like Bubble.io make it easy for even less-skilled attackers to create convincing phishing pages. This method may soon be added to “Phishing-as-a-Service” kits — ready-made tools that allow criminals to launch attacks at scale.
As a result, more phishing emails may start appearing directly in inboxes instead of spam folders.
Futureproof monitors your digital safety and alerts you early — before small risks grow into bigger problems. Get started today to stay protected all year long.
What This Case Shows
This case highlights a growing shift in cybercrime: attackers are no longer relying on suspicious or fake websites.
Instead, they are using trusted platforms to make scams harder to detect and more believable.
It also shows that:
- a “safe-looking” link does not always mean it is safe
- email security filters can be bypassed
- human attention — not technology — is often the last line of defense
Before you sign in, pause and check the link. Going directly to the official site is the safest habit and a simple step that can prevent serious account problems.
At Futureproof, Kevin makes online safety feel human with clear steps, real examples, and zero fluff. He holds a degree in information technology and studies fraud trends to keep his tips up-to-date.
In his free time, Kevin plays with his cat, enjoys board-game nights, and hunts for New York’s best cinnamon rolls.
