WorldWatch_OCDLast week, our International CyberSOC team detected a wave of #phishing emails sent to several customers in Germany 🇩🇪. Designed for Microsoft 365 credentials harvesting, the campaign relies on #bubbleapps subdomains spoofing company names.
Bubble[.]io is a no-code platform that lets users build full web applications through a visual editor instead of writing code. This platform has been regularly abused by threat actors to host phishing content 👾since at least 2020.
Upon investigation, the campaign also also targets English-speaking 🇬🇧 and Italian-speaking users 🇮🇹, with emails sent from compromised accounts.
🔎By pivoting on @urlscanio
, we suspect the campaign has been ongoing since at least 6 months.
A second stage URL redirects victims into a fake Microsoft sign-in page. This second URL' structure typically is:
online-app.*.info
login.*.it.com
processing.*.info
A search on Censys provides several IPs likely linked to this phishing cluster, all associated to AS199785.
🔗IoCs related to this campaign are available on our on our Datalake platform for our Managed Threat Intelligence clients:
https://datalake.cert.orangecyberdefense.com/gui/search?query_hash=fbf90e049b33f37bf6e259153e151034
🔗They are also available on our GitHub: https://github.com/cert-orangecyberdefense/cti/blob/main/bubbleapps%20phishing/iocs
Tuvoc Technologies
