Cybercriminals abused HubSpot and DocuSign to target European companies. The campaign compromised 20,000 Microsoft Azure accounts.
Palo Alto’s Unit 42 research team is warning of a large-scale phishing campaign in Europe. The attacks mainly target companies in the chemical, automotive or industrial manufacturing sectors. And with success: because between June and September, about 20,000 Microsoft Azure accounts were reportedly compromised.
read also
Microsoft pushes notifications of passkeys without opt-out option
The modus operandi reads like a classic phishing attack. The attackers misused DocuSign and/or the HubSpot online marketing platform to fool their targets. However, the goal is the same: get the victim to click on a malicious link via an email and obtain login credentials.
Tug of War
Palo Alto’s blog elaborates on how the phishing attacks work. The attackers used the HubSpot Form Builder to create a fill-in form that attempts to ransom the victims’ login credentials. They then put a direct link to the form in the mail, either through a DocuSign attachment.
So while no hacking took place on HubSpot’s own systems, the platform inadvertently played an important role in the campaign. Because HubSpot is considered a legitimate tool, the emails slipped through mail server spam filters. Setting up additional checks for domain name or sender, among other things, does raise red flags.
Once the attacker is inside, they turn on a VPN to pretend they were located in the country of the affected organization. As soon as the IT admins notice something, a password reset is performed. This creates a “tug-of-war” scenario where admins and the intruders battle for control of the account, the researchers write.
The worst seems to be behind us. The servers that supported the phishing campaign have already been taken offline. However, the danger of phishing is far from over.