HubSpot Phishing Campaign Targets 20,000 Microsoft Azure Accounts: A Growing Cyber Threat

Introduction

Phishing attacks continue to evolve, targeting high-profile platforms like Microsoft Azure. A recent campaign involving HubSpot has compromised around 20,000 accounts belonging to automotive, chemical, and industrial manufacturing companies across Germany and the UK. This blog post delves into the details of this phishing operation, exploring how attackers exploited HubSpot’s Form Builder to steal Microsoft Azure credentials and evade detection.

Understanding the Attack

The phishing campaign, which started in June 2024 and persisted until at least September 2024, was carried out by threat actors using HubSpot’s legitimate tools to launch credential-harvesting operations. HubSpot, a widely used customer relationship management (CRM) platform, provides services like marketing automation, sales, and customer analytics. However, attackers abused the Form Builder feature, which allows users to create customized online forms, to craft deceptive pages designed to collect sensitive credentials.

Phishing via HubSpot Form Builder

Researchers from Palo Alto Networks’ Unit 42 discovered that attackers leveraged at least 17 fake forms created through HubSpot’s Form Builder. These forms were designed to mimic official Microsoft Azure and Outlook Web App login pages, redirecting unsuspecting victims to malicious sites. By using HubSpot URLs, attackers bypassed many email security systems, as they didn’t raise red flags due to their legitimate appearance.

Use of DocuSign-Mimicking PDFs

To increase the credibility of their phishing attempts, attackers incorporated DocuSign-themed PDFs. These PDFs contained links to HubSpot forms, making it harder for recipients to detect the fraud. Once clicked, the links redirected users to attacker-controlled domains, where fake login pages were set up to harvest Microsoft Azure credentials.

Scale and Impact of the Campaign

Palo Alto Networks’ Unit 42 reported that the phishing campaign compromised approximately 20,000 Microsoft Azure accounts. The threat actors specifically targeted European-based companies in industries such as automotive, chemicals, and industrial manufacturing, indicating a clear focus on valuable corporate data. The campaign succeeded because the phishing emails often bypassed SPF, DKIM, and DMARC checks, ensuring they reached inboxes undetected.

Phishing Emails that Evade Detection

One of the key reasons this campaign was so effective is that the phishing emails appeared legitimate. By using HubSpot links, the emails avoided typical email security filters. However, these emails failed crucial authentication protocols, which enabled security tools to identify malicious intent after the fact. Nevertheless, once these emails reached target inboxes, they often went unnoticed, giving attackers the upper hand.

Post-Compromise Activity and Challenges

Once attackers gained access to compromised accounts, they employed VPNs to hide their real locations, making it appear as though they were operating from the victim’s country. This added a layer of difficulty for IT teams when trying to regain control of the accounts. In some instances, attackers would reset the account passwords immediately, creating a constant battle with IT administrators to reclaim access.

Unique ASN and User-Agent Strings

Unit 42 also identified a unique Autonomous System Number (ASN) associated with this campaign, which can help in future threat detection efforts. The use of uncommon user-agent strings further aided the attackers in bypassing security controls, making it harder to trace their activities.

Conclusion

The HubSpot phishing campaign is a stark reminder of how attackers continuously exploit legitimate services to carry out credential theft. Despite the servers used for this attack being taken offline, the methods employed highlight the evolving nature of phishing threats. Organizations must remain vigilant, ensuring they deploy strong email security measures, authenticate domains, and educate employees on recognizing phishing attempts to safeguard their Microsoft Azure accounts from such campaigns.