Last week, our International CyberSOC team detected a wave of #phishing emails sent to several customers in Germany ๐ฉ๐ช. Designed for Microsoft 365 credentials harvesting, the campaign relies on #bubbleapps subdomains spoofing company names.
Bubble[.]io is a no-code platform that lets users build full web applications through a visual editor instead of writing code. This platform has been regularly abused by threat actors to host phishing content ๐พsince at least 2020.
Upon investigation, the campaign also also targets English-speaking ๐ฌ๐ง and Italian-speaking users ๐ฎ๐น, with emails sent from compromised accounts.
๐By pivoting on @urlscanio
, we suspect the campaign has been ongoing since at least 6 months.
A second stage URL redirects victims into a fake Microsoft sign-in page. This second URL' structure typically is:
online-app.*.info
login.*.it.com
processing.*.info
A search on Censys provides several IPs likely linked to this phishing cluster, all associated to AS199785.
๐IoCs related to this campaign are available on our on our Datalake platform for our Managed Threat Intelligence clients:
https://datalake.cert.orangecyberdefense.com/gui/search?query_hash=fbf90e049b33f37bf6e259153e151034
๐They are also available on our GitHub: https://github.com/cert-orangecyberdefense/cti/blob/main/bubbleapps%20phishing/iocs
