Massive European Cyberattack: 20,000 Users Targeted in Sophisticated HubSpot Phishing Scheme

Massive European Cyberattack: 20,000 Users Targeted in Sophisticated HubSpot Phishing Scheme

European Companies Targeted in Large-Scale Azure Cloud Phishing Campaign

A sophisticated phishing operation, dubbed “HubPhish,” has been discovered targeting European manufacturing companies, potentially compromising their Microsoft Azure cloud infrastructure. Palo Alto Networks Unit 42 researchers revealed that over 20,000 users in automotive, chemical, and industrial manufacturing sectors have been targeted.

The campaign, which peaked in June 2024, exploits HubSpot’s Free Form Builder service to create convincing phishing forms. Attackers deploy Docusign-themed emails that redirect victims through HubSpot forms to fake Office 365 Outlook login pages, where credentials are harvested.

Key Features of the Attack:
– 17 distinct Free Forms identified, directing victims to malicious domains
– Predominant use of “.buzz” top-level domains
– Infrastructure hosted on Bulletproof VPS
– Post-compromise device addition for persistent access
– Lateral movement from compromised endpoints to cloud infrastructure

The researchers also noted parallel threats, including:
– XLoader malware deployment via SharePoint impersonation
– Novel phishing techniques using Google Calendar and Drawings
– Impersonation of major email security providers

Security Recommendation:
Users are advised to enable “known senders” settings in Google Calendar and maintain vigilant email security practices to prevent such sophisticated phishing attempts.

Share This Article