Hackers Exploit HubSpot Forms to Steal Microsoft Azure Credentials from Thousands

Share:

A phishing campaign targeting automotive, chemical, and industrial manufacturing companies in Germany and the UK has been leveraging HubSpot’s Free Form Builder and DocuSign-like PDFs to steal Microsoft Azure account credentials.

Overview of the attack
Source: Unit 42

Key Findings:

  • Scope of Attack: The campaign, active from June to September 2024, reportedly compromised approximately 20,000 accounts across European companies, according to Palo Alto Networks’ Unit 42 researchers.
  • Abuse of HubSpot: Threat actors used HubSpot Form Builder to craft at least 17 deceptive forms, redirecting victims to credential-harvesting pages mimicking Microsoft Outlook Web AppAzure login portals, and other legitimate services.
  • Delivery Mechanism: Phishing emails branded with DocuSign contained links to HubSpot forms via PDFs or embedded HTML. These emails bypassed some detection mechanisms due to the use of a legitimate service (HubSpot).

Attack Workflow:

  • Phishing Email: Emails mimicked DocuSign or other trusted services with links pointing to HubSpot forms. 

    Phishing email sample
    Source: Unit 42

  • HubSpot Forms: Victims interacted with fake forms hosted on HubSpot’s legitimate platform.
    Deceptive HubSpot form

    Source: Unit 42
  • Credential Harvesting: Victims were redirected to attacker-controlled sites hosted on “.buzz” domains impersonating login portals.
    Phishing page targeting Outlook accounts

    Source: Unit 42
  • Post-Compromise Activity:
    • Threat actors used VPNs to simulate the victim’s country.
    • If IT attempted to recover the compromised account, attackers engaged in a “tug-of-war” by initiating password resets.

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses

Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Why the Campaign Succeeded:

  • Legitimate Service Usage: The phishing emails leveraged HubSpot, making them appear less suspicious to email filters.
  • Weak Email Authentication: While the emails failed SPFDKIM, and DMARC checks, the association with HubSpot still allowed many to bypass email security tools.

Indicators of Compromise (IoCs):

  • Autonomous System Numbers (ASN): Novel ASNs were used in the attack.
  • User-Agent Strings: Unusual and specific user-agent strings were identified.

Trending: Essential Skills Every Hacker Should Master

Trending: Recon Tool: Exposor

Lessons for Organizations:

  • Email Security Measures: Implement robust SPFDKIM, and DMARC policies to mitigate phishing risks.
  • Monitor Legitimate Service Abuse: Be aware that trusted platforms like HubSpot can be abused as intermediaries.
  • Employee Training: Educate employees on identifying phishing campaigns, particularly those mimicking trusted services like DocuSign.
  • Incident Response Plans: Prepare for account recovery scenarios to handle post-compromise activities like password-reset tug-of-wars effectively.

Trending: Exploiting Windows UI Automation: A New Stealthy Attack Vector

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source

Leave a Comment

Your email address will not be published. Required fields are marked *

loader-image
London, GB
6:52 pm, May 17, 2025
weather icon 19°C
L: 18° | H: 20°
clear sky
Humidity: 51 %
Pressure: 1021 mb
Wind: 2 mph ENE
Wind Gust: 6 mph
UV Index: 0
Precipitation: 0 mm
Clouds: 0%
Rain Chance: 0%
Visibility: 10 km
Sunrise: 5:05 am
Sunset: 8:48 pm
DailyHourly
Daily ForecastHourly Forecast
Today 10:00 pm
weather icon
18° | 20°°C 0 mm 0% 9 mph 57 % 1021 mb 0 mm/h
Tomorrow 10:00 pm
weather icon
9° | 16°°C 0 mm 0% 9 mph 83 % 1022 mb 0 mm/h
Mon May 19 10:00 pm
weather icon
11° | 19°°C 0.2 mm 20% 13 mph 78 % 1022 mb 0 mm/h
Tue May 20 10:00 pm
weather icon
9° | 21°°C 0.35 mm 35% 9 mph 81 % 1022 mb 0 mm/h
Wed May 21 10:00 pm
weather icon
11° | 20°°C 0.09 mm 9% 11 mph 79 % 1020 mb 0 mm/h
Today 7:00 pm
weather icon
18° | 19°°C 0 mm 0% 9 mph 51 % 1021 mb 0 mm/h
Today 10:00 pm
weather icon
14° | 17°°C 0 mm 0% 7 mph 57 % 1021 mb 0 mm/h
Tomorrow 1:00 am
weather icon
12° | 14°°C 0 mm 0% 5 mph 68 % 1022 mb 0 mm/h
Tomorrow 4:00 am
weather icon
11° | 11°°C 0 mm 0% 6 mph 83 % 1021 mb 0 mm/h
Tomorrow 7:00 am
weather icon
9° | 9°°C 0 mm 0% 8 mph 82 % 1021 mb 0 mm/h
Tomorrow 10:00 am
weather icon
11° | 11°°C 0 mm 0% 6 mph 69 % 1022 mb 0 mm/h
Tomorrow 1:00 pm
weather icon
15° | 15°°C 0 mm 0% 7 mph 52 % 1021 mb 0 mm/h
Tomorrow 4:00 pm
weather icon
16° | 16°°C 0 mm 0% 9 mph 49 % 1020 mb 0 mm/h
Name Price24H (%)
Bitcoin(BTC)
€92,490.00
-0.86%
Ethereum(ETH)
€2,214.37
-4.45%
Tether(USDT)
€0.90
0.00%
XRP(XRP)
€2.10
-3.19%
Solana(SOL)
€148.91
-3.10%
USDC(USDC)
€0.90
0.00%
Dogecoin(DOGE)
€0.192698
-5.20%
Shiba Inu(SHIB)
€0.000013
-5.20%
Pepe(PEPE)
€0.000011
-8.62%
Peanut the Squirrel(PNUT)
€0.272553
-8.94%
Scroll to Top