Fake DocuSign and HubSpot phishing emails target 20,000 Microsoft Azure accounts
- Unit 42 says phishing campaign targeted automotive, chemical, and industrial compound manufacturing industries
- More than 20,000 victims were successfully targeted
- The campaign has been disrupted, but users should still be on their guard
Hackers of potentially Russian or Ukrainian origin have been targeting UK and EU organizations in the automotive, chemical, and industrial compound manufacturing industries with advanced phishing threats, experts have warned.
A report from Unit 42, Palo Alto Networks’ cybersecurity arm, claims to have observed a campaign that started in June 2024, and was still active as of September. The goal of the campaign was to grab people’s Microsoft Azure cloud accounts, and steal any sensitive information found there.
The crooks would either send a Docusign-enabled PDF file, or an embedded HTML link, which would redirect the victims to a HubSpot Free Form Builder link. That link would usually invite the reader to “View Document on Microsoft Secured Cloud,” where the victims would be asked to provide their Microsoft Azure login credentials.
Bulletproof hosting
The majority of the victims are located in Europe (mostly Germany), and the UK. Roughly 20,000 users were “successfully targeted”, the researchers said, adding that at least in a few cases, the victims provided the attackers with login credentials: “We verified that the phishing campaign did make several attempts to connect to the victims’ Microsoft Azure cloud infrastructure,” the researchers said in their writeup.
Besides using custom phishing lures, with organization-specific branding and email formats, the crooks also went for targeted redirections using URLs designed to look like the victim organization’s domain. Furthermore, the miscreants used bulletproof VPS hosts, and reused their phishing infrastructure for multiple operations. Most of the phishing pages were hosted on .buzz domains.
At press time, most of the attack infrastructure was pulled offline – Unit 42 said it worked together with HubSpot to address the abuse of the platform, and engaged with compromised organizations to provide recovery resources. Since most phishing servers are now offline, the researchers said the disruption efforts were effective.
Via The Register
You might also like
Unit 42 says phishing campaign targeted automotive, chemical, and industrial compound manufacturing industries More than 20,000 victims were successfully targeted The campaign has been disrupted, but users should still be on their guard Hackers of potentially Russian or Ukrainian origin have been targeting UK and EU organizations in the automotive,…
