Cybersecurity researchers have uncovered a new phishing campaign targeting European companies to obtain account credentials and take control of victims’ Microsoft Azure cloud infrastructure.
Division 42 of Palo Alto Networks codenamed the company HubPhish for abusing HubSpot’s tools in the attack chain. The targets include at least 20,000 users in the automotive, chemical and industrial industries in Europe.
“Company phishing attempts peaked in June 2024 with fake forms created using HubSpot’s Free Form Builder service,” security researchers Shachar Roitman, Ohad Benjamin Maimon, and William Gamazo said in a report shared with The Hacker News.
The attacks involve sending phishing emails with Docusign-themed baits that invite recipients to view a document, which then redirects users to malicious Links to HubSpot Free Form Builderfrom where they lead to a fake Office 365 Outlook Web App login page to steal their credentials.
Unit 42 said it has identified at least 17 working freeforms used to redirect victims to various threat-monitoring domains. A significant number of these domains were hosted on the “.buzz” top-level domain (TLD).
“The phishing campaign was hosted on various services, including a Bulletproof VPS host,” the company said. “(The threat actor) also used this infrastructure to access compromised Microsoft Azure tenants during an account takeover operation.”
After successfully gaining access to the account, the threat behind the company was detected to add a new device under their control to the account to establish resilience.
“The threat actors directed the phishing campaign to the victim’s Microsoft Azure cloud infrastructure through credential harvesting attacks on the phishing victim’s end computer,” said Unit 42. “They then monitored this activity with lateral moves to the cloud.”
Development happens just like attackers spotted impersonating SharePoint in phishing emails designed to deliver a family of information-stealing malware called XLoader (successor to Formbook).
Phishing attacks too more and more often find new ways to circumvent email security measures, the latest of which is to abuse legitimate services such as Google Calendar and Google Drawingsand counterfeiting the brands of email security vendors such as Proofpoint, Barracuda Networks, Mimecast, and Virtru.
Those using the trust associated with Google services include sending emails including a calendar file (.ICS) with a link to Google Forms or Google Drawings. Users who click on a link are prompted to click on another, usually disguised as a reCAPTCHA or a support button. After clicking on this link, victims are redirected to fake pages that commit financial scams.
Users are recommended turn on “known senders” setting in Google calendar to protect against this kind of phishing attacks.
