Cybersecurity researchers have unveiled a sophisticated phishing operation, dubbed HubPhish, that has aimed at stealing account credentials from European enterprises. The ultimate goal of the campaign is to compromise Microsoft Azure cloud infrastructures managed by the victims.
Exploiting HubSpot Tools in the Attack Chain
The operation, identified by Palo Alto Networks’ Unit 42, leverages HubSpot’s tools, particularly its Free Form Builder, to execute the attacks. The campaign’s victims span industries such as automotive, chemical, and industrial manufacturing, with over 20,000 users affected across Europe.
“In June 2024, the campaign reached its peak, utilizing counterfeit forms created via the HubSpot Free Form Builder service,” researchers Shachar Roitman, Ohad Benyamin Maimon, and William Gamazo revealed in a report.
The attackers employed phishing emails masked with DocuSign themes, urging recipients to view documents. Victims clicking the link were redirected to fraudulent HubSpot Free Form Builder pages, ultimately leading to fake Office 365 login screens designed to steal their credentials.
Infrastructure and Tactics
Unit 42 identified at least 17 active Free Forms redirecting victims to various threat actor-controlled domains, many of which were hosted on the “.buzz” TLD. Furthermore, the phishing infrastructure utilized services such as Bulletproof VPS hosting for hosting compromised domains and accessing Azure accounts.
Upon successfully stealing credentials, the attackers secured persistence by registering additional devices under compromised accounts. The subsequent activities included lateral movement within the victim’s Microsoft Azure infrastructure to expand control.
A Broader Threat Landscape
The HubPhish campaign coincides with a surge in phishing strategies designed to bypass email security systems. Recent observations have revealed attackers masquerading as SharePoint to deliver XLoader malware, a descendant of the notorious Formbook stealer.
Additionally, phishing methods increasingly exploit legitimate services like Google Calendar and Google Drawings. For instance, attackers embed calendar (.ICS) files with links to fraudulent Google Forms or Drawings pages. Victims clicking these links are often directed to spoofed reCAPTCHA pages or fraudulent sites orchestrating financial scams.
Defensive Measures
To mitigate risks from such phishing campaigns, users are advised to:
- Enable Google Calendar’s “known senders” feature to limit event invitations from unknown sources.
- Exercise caution when interacting with links embedded in emails, especially those claiming to originate from trusted platforms.
- Employ robust email security solutions and train employees on recognizing phishing attempts.
This campaign underscores the growing sophistication of cyber threats and the necessity for enhanced vigilance and proactive defenses in the ever-evolving landscape of digital security.