Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Fake DocuSign and HubSpot phishing emails target 20,000 Microsoft Azure accounts

Hook on Keyboard.

  • Unit 42 says phishing campaign targeted automotive, chemical, and industrial compound manufacturing industries
  • More than 20,000 victims were successfully targeted
  • The campaign has been disrupted, but users should still be on their guard

Hackers of potentially Russian or Ukrainian origin have been targeting UK and EU organizations in the automotive, chemical, and industrial compound manufacturing industries with advanced phishing threats, experts have warned.

A report from Unit 42, Palo Alto Networks’ cybersecurity arm, claims to have observed a campaign that started in June 2024, and was still active as of September. The goal of the campaign was to grab people’s Microsoft Azure cloud accounts, and steal any sensitive information found there.

The crooks would either send a Docusign-enabled PDF file, or an embedded HTML link, which would redirect the victims to a HubSpot Free Form Builder link. That link would usually invite the reader to “View Document on Microsoft Secured Cloud,” where the victims would be asked to provide their Microsoft Azure login credentials.

Bulletproof hosting

The majority of the victims are located in Europe (mostly Germany), and the UK. Roughly 20,000 users were “successfully targeted”, the researchers said, adding that at least in a few cases, the victims provided the attackers with login credentials: "We verified that the phishing campaign did make several attempts to connect to the victims' Microsoft Azure cloud infrastructure," the researchers said in their writeup.

Besides using custom phishing lures, with organization-specific branding and email formats, the crooks also went for targeted redirections using URLs designed to look like the victim organization’s domain. Furthermore, the miscreants used bulletproof VPS hosts, and reused their phishing infrastructure for multiple operations. Most of the phishing pages were hosted on .buzz domains.

At press time, most of the attack infrastructure was pulled offline - Unit 42 said it worked together with HubSpot to address the abuse of the platform, and engaged with compromised organizations to provide recovery resources. Since most phishing servers are now offline, the researchers said the disruption efforts were effective.

Via The Register

You might also like

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.