A newly uncovered phishing campaign dubbed “HubPhish” has targeted over 20,000 users across Europe’s automotive, chemical, and industrial sectors. Disclosed by Palo Alto Networks Unit 42, the campaign aimed to harvest credentials and infiltrate Microsoft Azure cloud environments by abusing HubSpot’s Free Form Builder service. Attackers crafted Docusign-themed phishing emails to lure recipients into clicking malicious links that redirected them to fake Office 365 login pages. The phishing activity reached its peak in June 2024, using deceptive tactics to bypass security measures and gain unauthorized access.
The operation was sophisticated, leveraging 17 active Free Forms hosted on domains such as the “.buzz” top-level domain. While HubSpot’s infrastructure itself remained uncompromised, the attackers exploited its Free Form Builder to add a veneer of legitimacy to their phishing attempts. Upon stealing victims’ credentials, the attackers secured persistence by adding their devices to compromised Microsoft Azure accounts. This access enabled them to conduct lateral movements, further expanding their control within the targeted environments.
The attackers utilized Bulletproof VPS hosting to manage their phishing infrastructure, illustrating a calculated approach to circumvent detection. This campaign reflects a broader trend of abusing legitimate services to carry out phishing attacks. For instance, recent phishing schemes have also misused trusted platforms like Google Calendar and Google Drawings, embedding malicious links that bypass traditional email security measures. These links often lead to fake login pages or financial scams, exploiting users’ trust in well-known services.
The HubPhish campaign underscores the growing sophistication of phishing attacks and the need for robust defenses. Organizations are urged to enhance their email and endpoint security and to educate users about recognizing phishing attempts. Proactive measures, such as enabling “known senders” settings in services like Google Calendar and adopting advanced threat detection tools, are critical in countering evolving threats. As attackers continue to exploit trusted platforms, vigilance remains essential to safeguarding sensitive data and cloud infrastructures.
Reference:
