EN
EN DE
EN
EN DE
Contact Us
Sign Up
Topics
Finance & insurance
Trade
Industry
IT & Consulting
Tourism
Transport
Law
Public

Hackers Exploit HubSpot Forms to Steal Microsoft Azure Credentials from Thousands

0
Share:

Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Patreon
Reading Time: 3 Minutes

A phishing campaign targeting automotive, chemical, and industrial manufacturing companies in Germany and the UK has been leveraging HubSpot’s Free Form Builder and DocuSign-like PDFs to steal Microsoft Azure account credentials.

Overview of the attackOverview of the attack
Source: Unit 42

Key Findings:

  • Scope of Attack: The campaign, active from June to September 2024, reportedly compromised approximately 20,000 accounts across European companies, according to Palo Alto Networks’ Unit 42 researchers.
  • Abuse of HubSpot: Threat actors used HubSpot Form Builder to craft at least 17 deceptive forms, redirecting victims to credential-harvesting pages mimicking Microsoft Outlook Web AppAzure login portals, and other legitimate services.
  • Delivery Mechanism: Phishing emails branded with DocuSign contained links to HubSpot forms via PDFs or embedded HTML. These emails bypassed some detection mechanisms due to the use of a legitimate service (HubSpot).

 

Attack Workflow:

  • Phishing Email: Emails mimicked DocuSign or other trusted services with links pointing to HubSpot forms. 

    Phishing email sample

    Phishing email sample
    Source: Unit 42

  • HubSpot Forms: Victims interacted with fake forms hosted on HubSpot’s legitimate platform.Deceptive HubSpot form
    Deceptive HubSpot form
    Source: Unit 42
  • Credential Harvesting: Victims were redirected to attacker-controlled sites hosted on “.buzz” domains impersonating login portals.Phishing page targeting Outlook accounts
    Phishing page targeting Outlook accounts
    Source: Unit 42
  • Post-Compromise Activity:
    • Threat actors used VPNs to simulate the victim’s country.
    • If IT attempted to recover the compromised account, attackers engaged in a “tug-of-war” by initiating password resets.

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses

Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

 

Why the Campaign Succeeded:

  • Legitimate Service Usage: The phishing emails leveraged HubSpot, making them appear less suspicious to email filters.
  • Weak Email Authentication: While the emails failed SPFDKIM, and DMARC checks, the association with HubSpot still allowed many to bypass email security tools.

Indicators of Compromise (IoCs):

  • Autonomous System Numbers (ASN): Novel ASNs were used in the attack.
  • User-Agent Strings: Unusual and specific user-agent strings were identified.

Trending: Essential Skills Every Hacker Should Master

Trending: Recon Tool: Exposor

Lessons for Organizations:

  • Email Security Measures: Implement robust SPFDKIM, and DMARC policies to mitigate phishing risks.
  • Monitor Legitimate Service Abuse: Be aware that trusted platforms like HubSpot can be abused as intermediaries.
  • Employee Training: Educate employees on identifying phishing campaigns, particularly those mimicking trusted services like DocuSign.
  • Incident Response Plans: Prepare for account recovery scenarios to handle post-compromise activities like password-reset tug-of-wars effectively.

Trending: Exploiting Windows UI Automation: A New Stealthy Attack Vector

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source

Leave a Comment

Your email address will not be published. Required fields are marked *

loader-image
London, GB
1:12 pm, Jan 16, 2025
weather icon 9°C
L: 8° | H: 10°
broken clouds
Humidity: 85 %
Pressure: 1033 mb
Wind: 6 mph SSW
Wind Gust: 0 mph
UV Index: 0
Precipitation: 0 mm
Clouds: 75%
Rain Chance: 0%
Visibility: 10 km
Sunrise: 7:58 am
Sunset: 4:21 pm
DailyHourly
Daily ForecastHourly Forecast
Today 9:00 pm
weather icon
8° | 10°°C 0 mm 0% 4 mph 94 % 1035 mb 0 mm/h
Tomorrow 9:00 pm
weather icon
3° | 7°°C 0 mm 0% 4 mph 96 % 1035 mb 0 mm/h
Sat Jan 18 9:00 pm
weather icon
2° | 7°°C 0 mm 0% 3 mph 87 % 1033 mb 0 mm/h
Sun Jan 19 9:00 pm
weather icon
1° | 6°°C 0 mm 0% 6 mph 90 % 1023 mb 0 mm/h
Mon Jan 20 9:00 pm
weather icon
5° | 9°°C 0 mm 0% 7 mph 96 % 1022 mb 0 mm/h
Today 3:00 pm
weather icon
9° | 9°°C 0 mm 0% 3 mph 83 % 1034 mb 0 mm/h
Today 6:00 pm
weather icon
6° | 7°°C 0 mm 0% 4 mph 91 % 1034 mb 0 mm/h
Today 9:00 pm
weather icon
5° | 5°°C 0 mm 0% 4 mph 94 % 1035 mb 0 mm/h
Tomorrow 12:00 am
weather icon
4° | 4°°C 0 mm 0% 3 mph 96 % 1034 mb 0 mm/h
Tomorrow 3:00 am
weather icon
4° | 4°°C 0 mm 0% 4 mph 96 % 1034 mb 0 mm/h
Tomorrow 6:00 am
weather icon
3° | 3°°C 0 mm 0% 3 mph 95 % 1035 mb 0 mm/h
Tomorrow 9:00 am
weather icon
3° | 3°°C 0 mm 0% 3 mph 95 % 1035 mb 0 mm/h
Tomorrow 12:00 pm
weather icon
7° | 7°°C 0 mm 0% 4 mph 75 % 1035 mb 0 mm/h
Weather from OpenWeatherMap
Name Price24H (%)
Bitcoin(BTC)
€96,217.31
2.09%
Ethereum(ETH)
€3,250.02
4.34%
XRP(XRP)
€3.23
19.46%
Tether(USDT)
€0.97
0.03%
Solana(SOL)
€207.64
14.34%
Dogecoin(DOGE)
€0.370838
8.16%
USDC(USDC)
€0.97
0.00%
Shiba Inu(SHIB)
€0.000022
6.60%
Pepe(PEPE)
€0.000018
9.00%
Peanut the Squirrel(PNUT)
€0.60
11.67%
Know and monitor IT vulnerabilities with just one click before it is too late.

Utility link

Useful link

Newsletter

Follow Us

Facebook Twitter Youtube Linkedin

© 2025 risikomonitor.com gmbh

Scroll to Top