A threat actor is abusing HubSpot’s Free Form Builder service to craft credential-harvesting phishing pages, according to Palo Alto Networks’ Unit 42.
The campaign has targeted at least 20,000 users at European companies in the automotive, chemical, and industrial compound manufacturing sectors. The attacks are designed to steal credentials in order to compromise victims’ Microsoft Azure cloud services.
“The phishing emails contained either an attached Docusign-enabled PDF file or an embedded HTML link directing victims to malicious HubSpot Free Form Builder links embedded within phishing emails,” Unit 42 explains.
“HubSpot is a cloud-based customer relationship management (CRM), marketing, sales, and content management system (CMS) operation platform. Working with HubSpot security teams, we determined that HubSpot was not compromised during this phishing campaign, nor were the Free Form Builder links delivered to target victims via HubSpot infrastructure.”
The attackers targeted companies in France, Germany, and the UK, and successfully compromised multiple victims. The threat actors used VPNs and virtual private services (VPSs) to appear as though they were located in the same countries as the targeted organizations.
“The phishing campaign was hosted across various services, including Bulletproof VPS hosts,” the researchers note. “This is a hosting service known for providing a high degree of anonymity, lax enforcement of legal regulations, and resistance to being shut down. They are often associated with malicious operations, including phishing operations.
One of the more interesting findings for us was the infrastructure clusters we analyzed, from the compromised and targeted users we identified. By analyzing telemetry collected from the victims, we found that the threat actor used the same hosting infrastructure for multiple targeted phishing operations. They also used this infrastructure for accessing compromised Microsoft Azure tenants during the account takeover operation.”
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
Unit 42 has the story.
Here's how it works:
