Fake DocuSign and HubSpot phishing emails target 20,000 Microsoft Azure accounts
- Unit 42 says the phishing campaign targeted the automotive, chemical and industrial compound industries
- More than 20,000 victims were successfully attacked
- The campaign has been disrupted, but users should still be wary
Hackers of possible Russian or Ukrainian origin have targeted UK and EU organizations in the automotive, chemical and industrial composition industries with sophisticated phishing threats, experts have warned.
A report from Unit 42, the cybersecurity arm of Palo Alto Networks, claims to have observed a campaign that began in June 2024 and was still active as of September. The goal of the campaign was to get hold of people’s Microsoft Azure cloud accounts and steal any sensitive information found there.
The scammers sent either a Docusign-enabled PDF file or an embedded HTML link, which would redirect victims to a HubSpot Free Form Builder link. That link typically invited the reader to “View Document on Microsoft Secured Cloud,” where victims were asked to provide their Microsoft Azure credentials.
Bulletproof hosting
The majority of victims are in Europe (mainly Germany) and Great Britain. About 20,000 users were “successfully attacked,” the researchers said, adding that at least in a few cases the victims provided the attackers with login credentials: “We verified that the phishing campaign made several attempts to connect to the Microsoft Azure systems of the victims. cloud infrastructure,” the researchers said in their article.
In addition to using customized phishing lures, with organization-specific branding and email formats, the crooks also went for targeted redirects using URLs designed to resemble the victim organization’s domain. Furthermore, the miscreants used bulletproof VPS hosts and reused their phishing infrastructure for multiple operations. Most phishing pages were hosted on .buzz domains.
At the time of writing, most of the attack infrastructure was taken offline. Unit 42 said it was working with HubSpot to address the misuse of the platform, and working with compromised organizations to provide remediation resources. With most phishing servers now offline, the researchers said the disruption efforts were effective.
Via The registry