Hackers Exploit HubSpot Forms to Steal Microsoft Azure Credentials from Thousands

Share:

A phishing campaign targeting automotive, chemical, and industrial manufacturing companies in Germany and the UK has been leveraging HubSpot’s Free Form Builder and DocuSign-like PDFs to steal Microsoft Azure account credentials.

Overview of the attack
Source: Unit 42

Key Findings:

  • Scope of Attack: The campaign, active from June to September 2024, reportedly compromised approximately 20,000 accounts across European companies, according to Palo Alto Networks’ Unit 42 researchers.
  • Abuse of HubSpot: Threat actors used HubSpot Form Builder to craft at least 17 deceptive forms, redirecting victims to credential-harvesting pages mimicking Microsoft Outlook Web AppAzure login portals, and other legitimate services.
  • Delivery Mechanism: Phishing emails branded with DocuSign contained links to HubSpot forms via PDFs or embedded HTML. These emails bypassed some detection mechanisms due to the use of a legitimate service (HubSpot).

Attack Workflow:

  • Phishing Email: Emails mimicked DocuSign or other trusted services with links pointing to HubSpot forms. 

    Phishing email sample
    Source: Unit 42

  • HubSpot Forms: Victims interacted with fake forms hosted on HubSpot’s legitimate platform.
    Deceptive HubSpot form

    Source: Unit 42
  • Credential Harvesting: Victims were redirected to attacker-controlled sites hosted on “.buzz” domains impersonating login portals.
    Phishing page targeting Outlook accounts

    Source: Unit 42
  • Post-Compromise Activity:
    • Threat actors used VPNs to simulate the victim’s country.
    • If IT attempted to recover the compromised account, attackers engaged in a “tug-of-war” by initiating password resets.

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses

Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Why the Campaign Succeeded:

  • Legitimate Service Usage: The phishing emails leveraged HubSpot, making them appear less suspicious to email filters.
  • Weak Email Authentication: While the emails failed SPFDKIM, and DMARC checks, the association with HubSpot still allowed many to bypass email security tools.

Indicators of Compromise (IoCs):

  • Autonomous System Numbers (ASN): Novel ASNs were used in the attack.
  • User-Agent Strings: Unusual and specific user-agent strings were identified.

Trending: Essential Skills Every Hacker Should Master

Trending: Recon Tool: Exposor

Lessons for Organizations:

  • Email Security Measures: Implement robust SPFDKIM, and DMARC policies to mitigate phishing risks.
  • Monitor Legitimate Service Abuse: Be aware that trusted platforms like HubSpot can be abused as intermediaries.
  • Employee Training: Educate employees on identifying phishing campaigns, particularly those mimicking trusted services like DocuSign.
  • Incident Response Plans: Prepare for account recovery scenarios to handle post-compromise activities like password-reset tug-of-wars effectively.

Trending: Exploiting Windows UI Automation: A New Stealthy Attack Vector

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: info@blackhatethicalhacking.com

Source

Leave a Comment

Your email address will not be published. Required fields are marked *

loader-image
Austria, AT
8:55 pm, Dec 27, 2024
weather icon 1°C
L: 1° H: 1°
few clouds
Humidity 81 %
Pressure 1035 mb
Wind 6 mph SSE
Wind Gust Wind Gust: 4 mph
UV Index UV Index: 0
Precipitation Precipitation: 0 mm
Clouds Clouds: 23%
Rain Chance Rain Chance: 0%
Visibility Visibility: 10 km
Sunrise Sunrise: 7:53 am
Sunset Sunset: 4:22 pm
DailyHourly
Daily ForecastHourly Forecast
Scroll to Top