HubSpot Tools Abused for Credential Theft
Cybersecurity researchers have uncovered a sophisticated phishing campaign, dubbed HubPhish by Palo Alto Networks Unit 42, that has targeted European companies. The goal? To steal account credentials and compromise victims' Microsoft Azure cloud infrastructure.
This campaign exploits HubSpot’s tools and has impacted over 20,000 users across automotive, chemical, and industrial manufacturing sectors in Europe.
"The phishing attempts peaked in June 2024, leveraging fake forms built using HubSpot’s Free Form Builder service,"
How the Attack Works
The campaign involves phishing emails designed to resemble DocuSign notifications, urging recipients to view a document. Clicking the link redirects users to malicious HubSpot Free Form Builder pages, ultimately leading to a counterfeit Office 365 Outlook login page aimed at harvesting credentials.
Unit 42 identified at least 17 active Free Forms used in the campaign, each redirecting victims to domains controlled by the threat actors. Many of these domains were hosted on the ".buzz" top-level domain (TLD).
Additionally, the threat actors used Bulletproof VPS hosting services to deploy their infrastructure and access compromised Microsoft Azure accounts during the takeover phase.
Upon successfully breaching an account, the attackers added new devices under their control to maintain persistent access.
Targeting Microsoft Azure Infrastructure
According to Unit 42, the attackers executed the phishing campaign with a clear objective: targeting Microsoft Azure cloud environments via credential theft. After stealing the credentials, they conducted lateral movement across the cloud infrastructure to deepen the compromise.
Broader Trends in Phishing Attacks
This development comes amid an uptick in phishing attacks adopting innovative methods to bypass email security defenses. Recent tactics include exploiting trusted services like Google Calendar and Google Drawings, as well as impersonating email security brands like Proofpoint, Barracuda Networks, Mimecast, and Virtru.
For example, phishing campaigns abusing Google services send emails containing calendar (.ICS) files with links to Google Forms or Drawings. Clicking these links directs victims to fake pages, often disguised as reCAPTCHA or support buttons, where financial scams are executed.
Defensive Measures
To counter such threats, users are advised to:
- Enable “Known Senders” in Google Calendar: This setting can block phishing attempts leveraging calendar invites.
- Stay vigilant for suspicious emails: Even legitimate-looking forms or links may redirect to malicious pages.
- Implement advanced email security solutions: These tools can help detect and block phishing attempts before they reach users.
Phishing attacks continue to evolve, underscoring the need for robust cybersecurity measures and user awareness. The HubPhish campaign serves as a reminder that even trusted platforms like HubSpot can be exploited by cybercriminals.