A phishing campaign targeting automotive, chemical, and industrial manufacturing companies in Germany and the UK has been leveraging HubSpot’s Free Form Builder and DocuSign-like PDFs to steal Microsoft Azure account credentials.
Overview of the attack
Source: Unit 42
Key Findings:
- Scope of Attack: The campaign, active from June to September 2024, reportedly compromised approximately 20,000 accounts across European companies, according to Palo Alto Networks’ Unit 42 researchers.
- Abuse of HubSpot: Threat actors used HubSpot Form Builder to craft at least 17 deceptive forms, redirecting victims to credential-harvesting pages mimicking Microsoft Outlook Web App, Azure login portals, and other legitimate services.
- Delivery Mechanism: Phishing emails branded with DocuSign contained links to HubSpot forms via PDFs or embedded HTML. These emails bypassed some detection mechanisms due to the use of a legitimate service (HubSpot).
Attack Workflow:
- Phishing Email: Emails mimicked DocuSign or other trusted services with links pointing to HubSpot forms.
Phishing email sample
Source: Unit 42 - HubSpot Forms: Victims interacted with fake forms hosted on HubSpot’s legitimate platform.
Deceptive HubSpot form
Source: Unit 42 - Credential Harvesting: Victims were redirected to attacker-controlled sites hosted on “.buzz” domains impersonating login portals.
Phishing page targeting Outlook accounts
Source: Unit 42 - Post-Compromise Activity:
- Threat actors used VPNs to simulate the victim’s country.
- If IT attempted to recover the compromised account, attackers engaged in a “tug-of-war” by initiating password resets.
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
Why the Campaign Succeeded:
- Legitimate Service Usage: The phishing emails leveraged HubSpot, making them appear less suspicious to email filters.
- Weak Email Authentication: While the emails failed SPF, DKIM, and DMARC checks, the association with HubSpot still allowed many to bypass email security tools.
Indicators of Compromise (IoCs):
- Autonomous System Numbers (ASN): Novel ASNs were used in the attack.
- User-Agent Strings: Unusual and specific user-agent strings were identified.
Trending: Essential Skills Every Hacker Should Master
Trending: Recon Tool: Exposor
Lessons for Organizations:
- Email Security Measures: Implement robust SPF, DKIM, and DMARC policies to mitigate phishing risks.
- Monitor Legitimate Service Abuse: Be aware that trusted platforms like HubSpot can be abused as intermediaries.
- Employee Training: Educate employees on identifying phishing campaigns, particularly those mimicking trusted services like DocuSign.
- Incident Response Plans: Prepare for account recovery scenarios to handle post-compromise activities like password-reset tug-of-wars effectively.
Trending: Exploiting Windows UI Automation: A New Stealthy Attack Vector
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
