A sophisticated phishing operation targeting automotive, chemical, and industrial manufacturing companies in Germany and the UK has been discovered exploiting HubSpot’s services to harvest Microsoft Azure credentials. According to Palo Alto Networks’ Unit 42 research team, the campaign has compromised approximately 20,000 user accounts between June and September 2024.
Attack Methodology
The threat actors leveraged HubSpot’s legitimate Free Form Builder feature to create deceptive forms, utilizing at least seventeen different variations. These forms served as a gateway to redirect victims to fraudulent login pages hosted on ‘.buzz’ domains, which mimicked Microsoft Outlook Web App and Azure portals.
The attackers enhanced their credibility by:
– Using DocuSign-branded phishing messages
– Creating fake document management system pages
– Impersonating French notary offices
– Developing organization-specific login portals
Technical Details
While the campaign successfully evaded some email security tools by utilizing legitimate HubSpot links, the phishing emails failed standard security checks including:
– SPF (Sender Policy Framework)
– DKIM (DomainKeys Identified Mail)
– DMARC (Domain-based Message Authentication, Reporting, and Conformance)
Post-Compromise Activities
After successful breaches, attackers:
– Used VPNs to appear local to compromised organizations
– Engaged in “tug-of-war” account control battles with IT teams
– Attempted immediate password resets upon detection
Though many campaign servers are now offline, this attack demonstrates the growing sophistication of threat actors in abusing legitimate services to bypass security measures.