EN
EN DE
EN
EN DE
Contact Us
Sign Up
Topics
Finance & insurance
Trade
Industry
IT & Consulting
Tourism
Transport
Law
Public

Hackers Exploit HubSpot Forms to Steal Microsoft Azure Credentials from Thousands

0
Share:

A phishing campaign targeting automotive, chemical, and industrial manufacturing companies in Germany and the UK has been leveraging HubSpot’s Free Form Builder and DocuSign-like PDFs to steal Microsoft Azure account credentials.

Overview of the attack
Source: Unit 42

Key Findings:

  • Scope of Attack: The campaign, active from June to September 2024, reportedly compromised approximately 20,000 accounts across European companies, according to Palo Alto Networks’ Unit 42 researchers.
  • Abuse of HubSpot: Threat actors used HubSpot Form Builder to craft at least 17 deceptive forms, redirecting victims to credential-harvesting pages mimicking Microsoft Outlook Web AppAzure login portals, and other legitimate services.
  • Delivery Mechanism: Phishing emails branded with DocuSign contained links to HubSpot forms via PDFs or embedded HTML. These emails bypassed some detection mechanisms due to the use of a legitimate service (HubSpot).

Attack Workflow:

  • Phishing Email: Emails mimicked DocuSign or other trusted services with links pointing to HubSpot forms. 

    Phishing email sample
    Source: Unit 42

  • HubSpot Forms: Victims interacted with fake forms hosted on HubSpot’s legitimate platform.
    Deceptive HubSpot form
    Source: Unit 42
  • Credential Harvesting: Victims were redirected to attacker-controlled sites hosted on “.buzz” domains impersonating login portals.
    Phishing page targeting Outlook accounts
    Source: Unit 42
  • Post-Compromise Activity:
    • Threat actors used VPNs to simulate the victim’s country.
    • If IT attempted to recover the compromised account, attackers engaged in a “tug-of-war” by initiating password resets.

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses

Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Why the Campaign Succeeded:

  • Legitimate Service Usage: The phishing emails leveraged HubSpot, making them appear less suspicious to email filters.
  • Weak Email Authentication: While the emails failed SPFDKIM, and DMARC checks, the association with HubSpot still allowed many to bypass email security tools.

Indicators of Compromise (IoCs):

  • Autonomous System Numbers (ASN): Novel ASNs were used in the attack.
  • User-Agent Strings: Unusual and specific user-agent strings were identified.

Trending: Essential Skills Every Hacker Should Master

Trending: Recon Tool: Exposor

Lessons for Organizations:

  • Email Security Measures: Implement robust SPFDKIM, and DMARC policies to mitigate phishing risks.
  • Monitor Legitimate Service Abuse: Be aware that trusted platforms like HubSpot can be abused as intermediaries.
  • Employee Training: Educate employees on identifying phishing campaigns, particularly those mimicking trusted services like DocuSign.
  • Incident Response Plans: Prepare for account recovery scenarios to handle post-compromise activities like password-reset tug-of-wars effectively.

Trending: Exploiting Windows UI Automation: A New Stealthy Attack Vector

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source

Leave a Comment

Your email address will not be published. Required fields are marked *

loader-image
London, GB
3:07 am, Apr 21, 2025
weather icon 10°C
L: 9° | H: 11°
overcast clouds
Humidity: 85 %
Pressure: 1007 mb
Wind: 7 mph E
Wind Gust: 0 mph
UV Index: 0
Precipitation: 0 mm
Clouds: 100%
Rain Chance: 0%
Visibility: 10 km
Sunrise: 5:51 am
Sunset: 8:06 pm
DailyHourly
Daily ForecastHourly Forecast
Today 10:00 pm
weather icon
9° | 11°°C 1 mm 100% 9 mph 87 % 1013 mb 0 mm/h
Tomorrow 10:00 pm
weather icon
8° | 16°°C 0 mm 0% 10 mph 89 % 1017 mb 0 mm/h
Wed Apr 23 10:00 pm
weather icon
8° | 14°°C 1 mm 100% 14 mph 92 % 1018 mb 0 mm/h
Thu Apr 24 10:00 pm
weather icon
8° | 16°°C 0.2 mm 20% 9 mph 83 % 1024 mb 0 mm/h
Fri Apr 25 10:00 pm
weather icon
8° | 16°°C 0 mm 0% 9 mph 89 % 1025 mb 0 mm/h
Today 4:00 am
weather icon
10° | 10°°C 0 mm 0% 2 mph 85 % 1007 mb 0 mm/h
Today 7:00 am
weather icon
10° | 11°°C 0 mm 0% 3 mph 86 % 1007 mb 0 mm/h
Today 10:00 am
weather icon
11° | 12°°C 0 mm 0% 3 mph 75 % 1008 mb 0 mm/h
Today 1:00 pm
weather icon
15° | 15°°C 0 mm 0% 7 mph 50 % 1009 mb 0 mm/h
Today 4:00 pm
weather icon
15° | 15°°C 1 mm 100% 9 mph 69 % 1009 mb 0 mm/h
Today 7:00 pm
weather icon
14° | 14°°C 1 mm 100% 7 mph 84 % 1011 mb 0 mm/h
Today 10:00 pm
weather icon
11° | 11°°C 0 mm 0% 6 mph 87 % 1013 mb 0 mm/h
Tomorrow 1:00 am
weather icon
9° | 9°°C 0 mm 0% 7 mph 89 % 1014 mb 0 mm/h
Weather from OpenWeatherMap
Name Price24H (%)
Bitcoin(BTC)
€76,353.20
2.37%
Ethereum(ETH)
€1,423.79
0.63%
Tether(USDT)
€0.87
0.00%
XRP(XRP)
€1.85
1.44%
Solana(SOL)
€124.00
0.06%
USDC(USDC)
€0.87
0.01%
Dogecoin(DOGE)
€0.140172
0.90%
Shiba Inu(SHIB)
€0.000011
2.20%
Pepe(PEPE)
€0.000007
3.70%
Risikomonitor
Know and monitor IT vulnerabilities with just one click before it is too late.

Utility link

Useful link

Newsletter

Follow Us

Facebook Twitter Youtube Linkedin

© 2025 risikomonitor.com gmbh

Scroll to Top