Cybersecurity researchers have disclosed a brand new phishing marketing campaign that has focused European firms with an purpose to reap account credentials and take management of the victims’ Microsoft Azure cloud infrastructure.
The marketing campaign has been codenamed HubPhish by Palo Alto Networks Unit 42 owing to the abuse of HubSpot instruments within the assault chain. Targets embody at the least 20,000 automotive, chemical, and industrial compound manufacturing customers in Europe.
“The marketing campaign’s phishing makes an attempt peaked in June 2024, with pretend types created utilizing the HubSpot Free Kind Builder service,” safety researchers Shachar Roitman, Ohad Benyamin Maimon, and William Gamazo stated in a report shared with The Hacker Information.
The assaults contain sending phishing emails with Docusign-themed lures that urge recipients to view a doc, which then redirects customers to malicious HubSpot Free Kind Builder hyperlinks, from the place they’re led to a pretend Workplace 365 Outlook Net App login web page as a way to steal their credentials.
Unit 42 stated it recognized a minimum of 17 working Free Types used to redirect victims to completely different menace actor-controlled domains. A major chunk of these domains had been hosted on the “.buzz” top-level area (TLD).
“The phishing marketing campaign was hosted throughout numerous providers, together with Bulletproof VPS host,” the corporate stated. “[The threat actor] additionally used this infrastructure for accessing compromised Microsoft Azure tenants in the course of the account takeover operation.”
Upon gaining profitable entry to an account, the menace behind the marketing campaign has been discovered so as to add a brand new machine beneath their management to the account in order to determine persistence.
“Risk actors directed the phishing marketing campaign to focus on the sufferer’s Microsoft Azure cloud infrastructure by way of credential harvesting assaults on the phishing sufferer’s endpoint pc,” Unit 42 stated. “They then adopted this exercise with lateral motion operations to the cloud.”
The event comes as attackers have been noticed impersonating SharePoint in phishing emails which can be designed to ship an data stealer malware household referred to as XLoader (a successor to Formbook).
Phishing assaults are additionally more and more discovering novel methods to bypass electronic mail safety measures, the most recent amongst them being the abuse of legit providers like Google Calendar and Google Drawings, in addition to spoofing electronic mail safety supplier manufacturers, corresponding to Proofpoint, Barracuda Networks, Mimecast, and Virtru.
People who exploit the belief related to Google providers contain sending emails together with a calendar (.ICS) file with a hyperlink to Google Types or Google Drawings. Customers who click on on the hyperlink are prompted to click on on one other one, which is usually disguised as a reCAPTCHA or help button. As soon as this hyperlink is clicked, the victims are forwarded to phony pages that perpetrate monetary scams.
Customers are suggested to allow the “recognized senders” setting in Google Calendar to guard in opposition to this type of phishing assault.
