A phishing marketing campaign focusing on automotive, chemical, and industrial manufacturing corporations in Germany and the UK is abusing HubSpot to steal Microsoft Azure account credentials.
The menace actors use HubSpot Free Kind Builder hyperlinks and DocuSign-mimicking PDFs to redirect victims to credential-harvesting pages.
In response to Palo Alto Networks’ Unit 42 group of researchers, the marketing campaign, which began in June 2024 and remained lively till at the least September 2024, has compromised roughly 20,000 accounts.
“Our telemetry indicates the threat actor successfully targeted roughly 20,000 users across various European companies,” explains the Palo Alto Unit 42 report.
HubSpot used for credential harvesting
HubSpot is a authentic buyer relationship administration (CRM) platform utilized in advertising and marketing automation, gross sales, customer support, analytics, and constructing web sites and touchdown pages.
The Kind Builder is a characteristic that permits customers to create customized on-line kinds to seize data from web site guests.
Within the phishing marketing campaign Unit 42 tracked, menace actors exploited HubSpot Kind Builder to create at the least seventeen misleading kinds to lure victims into offering delicate credentials within the subsequent step.
Supply: Unit 42
Though the HubSpot infrastructure itself wasn’t compromised, it was used as an intermediate step to steer victims to attacker-controlled websites on ‘.buzz’ domains mimicking Microsoft Outlook Internet App and Azure login pages.
Supply: Unit 42
Internet pages mimicking DocuSign’s doc administration system, French notary places of work, and organization-specific login portals had been additionally used within the assaults.
Victims had been directed to these pages by DocuSign-branded phishing messages containing hyperlinks to HubSpot, both on an connected PDF or embedded HTML.
Supply: Unit 42
Because the emails include hyperlinks to a authentic service (HubSpot), they aren’t usually flagged by electronic mail safety instruments, so that they’re extra prone to attain goal inboxes.
Nevertheless, the phishing emails related to this marketing campaign failed Sender Coverage Framework (SPF), DomainKeys Recognized Mail (DKIM), and Area-based Message Authentication, Reporting, and Conformance (DMARC) checks.
Supply: Unit 42
Submit-compromise exercise
In circumstances of profitable assaults seen by the researchers, the menace actors used VPNs to make it seem as in the event that they had been based mostly on the nation of the victimized group.
“When IT regained control of the account, the attacker immediately initiated a password reset, attempting to regain control,” describe the Unit 42 researchers.
“This created a tug-of-war scenario in which both parties struggled for control over the account.”
Unit 42 additionally recognized a novel Autonomous System Quantity (ASN) used within the marketing campaign, which can be utilized for menace identification together with particular, uncommon user-agent strings.
Though many of the servers that acted because the spine of the phishing marketing campaign have lengthy gone offline, the exercise is one more instance of authentic service abuse, as menace actors continuously discover new avenues to bypass safety instruments.
