Cybersecurity researchers have disclosed a new phishing campaign that has targeted European companies with an aim to harvest account credentials and take control of the victims’ Microsoft Azure cloud infrastructure.
The campaign has been codenamed HubPhish by Palo Alto Networks Unit 42 owing to the abuse of HubSpot tools in the attack chain. Targets include at least 20,000 automotive, chemical, and industrial compound manufacturing users in Europe.
“The campaign’s phishing attempts peaked in June 2024, with fake forms created using the HubSpot Free Form Builder service,” security researchers Shachar Roitman, Ohad Benyamin Maimon, and William Gamazo said in a report shared with The Hacker News.
The attacks involve sending phishing emails with Docusign-themed lures that urge recipients to view a document, which then redirects users to malicious HubSpot Free Form Builder links, from where they are led to a fake Office 365 Outlook Web App login page in order to steal their credentials.
Unit 42 said it identified no less than 17 working Free Forms used to redirect victims to different threat actor-controlled domains. A significant chunk of those domains were hosted on the “.buzz” top-level domain (TLD).
“The phishing campaign was hosted across various services, including Bulletproof VPS host,” the company said. “[The threat actor] also used this infrastructure for accessing compromised Microsoft Azure tenants during the account takeover operation.”
Upon gaining successful access to an account, the threat behind the campaign has been found to add a new device under their control to the account so as to establish persistence.
“Threat actors directed the phishing campaign to target the victim’s Microsoft Azure cloud infrastructure via credential harvesting attacks on the phishing victim’s endpoint computer,” Unit 42 said. “They then followed this activity with lateral movement operations to the cloud.”
The development comes as attackers have been spotted impersonating SharePoint in phishing emails that are designed to deliver an information stealer malware family called XLoader (a successor to Formbook).
Phishing attacks are also increasingly finding novel ways to bypass email security measures, the latest among them being the abuse of legitimate services like Google Calendar and Google Drawings, as well as spoofing email security provider brands, such as Proofpoint, Barracuda Networks, Mimecast, and Virtru.
Those that exploit the trust associated with Google services involve sending emails including a calendar (.ICS) file with a link to Google Forms or Google Drawings. Users who click on the link are prompted to click on another one, which is typically disguised as a reCAPTCHA or support button. Once this link is clicked, the victims are forwarded to phony pages that perpetrate financial scams.
Users are advised to enable the “known senders” setting in Google Calendar to protect against this kind of phishing attack.
