Palo Alto Network’s Unit 42 researchers have uncovered a sophisticated phishing campaign that targets European companies, with a focus on industries in Germany and the UK. The campaign, which began in June 2024 and is currently ongoing, aims to harvest account credentials and compromise victims' Microsoft Azure cloud infrastructure.
The phishing attempts peaked in June 2024, leveraging fake forms created using the HubSpot Free Form Builder service. Telemetry data indicates that the threat actor successfully targeted approximately 20,000 users across various companies in the automotive, chemical, and industrial compound manufacturing sectors.
The phishing emails used DocuSign-themed lures to trick recipients into clicking malicious links. The emails urged victims to view a purported document, redirecting them to links created with the HubSpot Free Form Builder. From there, users were led to a fake Office 365 Outlook Web App login page, where their credentials were stolen.
The researchers said that neither HubSpot nor its Free Form Builder service was compromised during the campaign. The malicious links were not delivered via HubSpot’s customer platform infrastructure. Instead, the attackers exploited the service’s legitimate functionality to create convincing phishing pages.
Researchers identified at least 17 unique Free Forms used by the attackers to redirect victims to different domains under their control. A significant portion of these domains were hosted on the ".buzz" top-level domain (TLD).
Upon gaining access to an account, the attackers added a new device under their control to the victim’s account. This allowed them to establish persistence and maintain unauthorized access to the compromised infrastructure.