Researchers have uncovered a novel phishing scheme targeting European companies, seeking to obtain login credentials and gain control over the affected organizations’ Microsoft Azure cloud platforms.
The HubPhish operation, as designated by Palo Alto Networks’ cybersecurity experts at Unit 42, is a notable example of an adversary exploiting HubSpot tools in their attack workflow. The company’s clientele comprises at least 20,000 clients across various sectors, including automotive, chemical, and industrial compounds, all situated within Europe.
The marketing campaign’s phishing attempts reached a peak in June 2024, as pretend types were created using the HubSpot Free Template Builder service, according to safety researchers Shachar Roitman, Ohad Benyamin Maimon, and William Gamazo, who shared their findings with The Hacker News.
Attackers craft phishing emails masquerading as Docusign notifications, tricking victims into opening a “document” that instead takes them to a fake Microsoft Workplace 365 Outlook Web App login page designed to capture compromised login credentials?
The Unit 42 threat intelligence team discovered at least 17 functioning free types utilized by attackers to redirect victims to maliciously controlled domains, thereby perpetuating cyber threats. The majority of these domains were previously hosted under the “.buzz” top-level domain (TLD).
“The company disclosed that a phishing marketing campaign operated across multiple providers, including the notorious Bulletproof VPS host.” “The threat actor leveraged this infrastructure to infiltrate compromised Microsoft Azure tenants as part of its elaborate account takeover strategy.”
After successfully penetrating an account with a lucrative entry point, the marketing campaign’s underlying threat actor is identified and authorized to integrate a new device under their control into the account in order to assess its durability and resilience.
“Threat actors orchestrated a phishing campaign targeting victims’ Microsoft Azure cloud infrastructure through credential-harvesting attacks on their endpoint PCs, according to Unit 42.” “They subsequently incorporated a modified version of this exercise, incorporating lateral movements in tandem with cloud-based operations.”
As cybercriminals continue to exploit vulnerabilities, a new threat emerges: attackers posing as SharePoint in phishing emails, aiming to deploy a data-stealing malware known as its successor, Formbook.
Phishing attacks have evolved to circumvent email security measures, with the latest tactic involving the exploitation of legitimate service providers such as Microsoft, in addition to spoofing popular email security software vendors like Proofpoint, Barracuda Networks, Mimecast, and Virtru?
Individuals perpetuating phishing scams utilize unsuspecting individuals’ faith in Google services by transmitting emails accompanied by a calendar (.ICS) file, which includes a link redirecting users to fake Google Drive or Google Drawing interfaces. Customers clicking the initial hyperlink are redirected to an additional prompt, typically masquerading as a reCAPTCHA or assistive mechanism. As soon as unsuspecting users click on the malicious hyperlink, they are redirected to deceitful websites designed to defraud them financially.
To protect against this type of phishing attack, customers are advised to enable the “recognized senders” setting in their Google Calendar.