Cybersecurity researchers have disclosed a brand new phishing marketing campaign that has focused European corporations with an purpose to reap account credentials and take management of the victims’ Microsoft Azure cloud infrastructure.
The marketing campaign has been codenamed HubPhish by Palo Alto Networks Unit 42 owing to the abuse of HubSpot instruments within the assault chain. Targets embrace no less than 20,000 automotive, chemical, and industrial compound manufacturing customers in Europe.
“The marketing campaign’s phishing makes an attempt peaked in June 2024, with pretend types created utilizing the HubSpot Free Type Builder service,” safety researchers Shachar Roitman, Ohad Benyamin Maimon, and William Gamazo stated in a report shared with The Hacker Information.
The assaults contain sending phishing emails with Docusign-themed lures that urge recipients to view a doc, which then redirects customers to malicious HubSpot Free Type Builder hyperlinks, from the place they’re led to a pretend Workplace 365 Outlook Net App login web page so as to steal their credentials.
Unit 42 stated it recognized a minimum of 17 working Free Varieties used to redirect victims to totally different menace actor-controlled domains. A big chunk of these domains had been hosted on the “.buzz” top-level area (TLD).
“The phishing marketing campaign was hosted throughout numerous providers, together with Bulletproof VPS host,” the corporate stated. “[The threat actor] additionally used this infrastructure for accessing compromised Microsoft Azure tenants throughout the account takeover operation.”
Upon gaining profitable entry to an account, the menace behind the marketing campaign has been discovered so as to add a brand new gadget beneath their management to the account in order to ascertain persistence.
“Risk actors directed the phishing marketing campaign to focus on the sufferer’s Microsoft Azure cloud infrastructure through credential harvesting assaults on the phishing sufferer’s endpoint pc,” Unit 42 stated. “They then adopted this exercise with lateral motion operations to the cloud.”
The event comes as attackers have been noticed impersonating SharePoint in phishing emails which might be designed to ship an data stealer malware household referred to as XLoader (a successor to Formbook).
Phishing assaults are additionally more and more discovering novel methods to bypass electronic mail safety measures, the newest amongst them being the abuse of reputable providers like Google Calendar and Google Drawings, in addition to spoofing electronic mail safety supplier manufacturers, similar to Proofpoint, Barracuda Networks, Mimecast, and Virtru.
People who exploit the belief related to Google providers contain sending emails together with a calendar (.ICS) file with a hyperlink to Google Varieties or Google Drawings. Customers who click on on the hyperlink are prompted to click on on one other one, which is usually disguised as a reCAPTCHA or help button. As soon as this hyperlink is clicked, the victims are forwarded to phony pages that perpetrate monetary scams.
Customers are suggested to allow the “identified senders” setting in Google Calendar to guard towards this sort of phishing assault.
