A recent phishing campaign has demonstrated how cybercriminals continue to adapt by exploiting legitimate platforms to bypass security tools and deceive their victims. In this case, attackers abused HubSpot’s Free Form Builder feature to target Microsoft Azure accounts, with a focus on automotive, chemical, and industrial manufacturing companies in Germany and the UK. By leveraging trusted services and sophisticated techniques, these attackers successfully compromised approximately 20,000 accounts, posing significant risks to organizations across these industries.
The Anatomy of the Attack
The phishing campaign, which began in June 2024 and persisted until at least September, highlights a dangerous trend: the abuse of legitimate platforms to facilitate malicious activities. HubSpot, a widely used customer relationship management (CRM) platform, became the attackers’ tool of choice. Specifically, the Form Builder feature—designed to create custom online forms for collecting information—was exploited to host fake forms.
Victims were lured into these traps through phishing emails masquerading as DocuSign-branded communications. These emails contained links to PDFs or embedded HTML that directed recipients to the deceptive HubSpot forms. From there, users were redirected to credential-harvesting pages hosted on attacker-controlled domains. These pages mimicked familiar interfaces like Microsoft Azure and Outlook login portals, making it difficult for victims to detect the fraud.
The Role of HubSpot
It’s important to note that HubSpot itself was not compromised. Instead, attackers leveraged its infrastructure to lend legitimacy to their phishing campaigns. Since the emails included links to a trusted platform, many security tools failed to flag them as malicious. This clever use of HubSpot underscores a broader challenge: even trusted services can become tools in the hands of cybercriminals.
Seventeen deceptive forms were identified during the campaign, each designed to extract sensitive login credentials. The attackers’ use of “.buzz” domains further obscured their intentions, as these were designed to closely resemble legitimate login pages. This approach enabled them to evade detection and increase the likelihood of victim interaction.
Post-Compromise Activity
Once attackers gained access to victims’ Microsoft Azure accounts, they employed advanced techniques to maintain control. One notable tactic involved using VPNs to spoof the geographic location of the compromised account, aligning it with the victim’s organization.
In some cases, this led to “tug-of-war” scenarios, where both the attackers and the organization’s IT team fought for control of the account. As soon as IT administrators attempted to regain access, the attackers would initiate a password reset, creating a prolonged struggle for ownership.
The campaign also introduced a novel Autonomous System Number (ASN), which researchers from Palo Alto Networks’ Unit 42 identified as a unique marker of this activity. Combined with unusual user-agent strings, this detail could aid in identifying similar threats in the future.
Implications for Organizations
The scale and sophistication of this campaign highlight the growing threat of legitimate service abuse. By exploiting HubSpot, the attackers bypassed traditional email security tools and reached their targets undetected. For the automotive, chemical, and industrial manufacturing sectors, the risks are particularly grave. Compromised Azure accounts can grant attackers access to sensitive corporate data, intellectual property, and critical cloud resources.
Furthermore, the use of trusted services like HubSpot means that even organizations with robust security measures can be vulnerable. This underscores the importance of adopting a multi-layered approach to cybersecurity, combining technical defenses with user education and vigilance.
Measures to Fend Off Such Attacks
Organizations can implement the following measures to defend against similar threats:
• Strengthen Email Security Protocols: Enforce SPF, DKIM, and DMARC standards to reduce the risk of email spoofing and phishing.
• Train Employees: Regularly educate staff on recognizing phishing attempts, especially those leveraging trusted platforms like HubSpot.
• Enable Multi-Factor Authentication (MFA): Require MFA for all sensitive accounts to provide an additional layer of security.
• Monitor for Unusual Activity: Keep an eye on login patterns, such as unexpected IP locations or unusual user-agent strings.
• Audit Third-Party Platforms: Regularly review the use of third-party services like HubSpot to ensure their features are not being exploited.
• Deploy Anti-Phishing Tools: Use advanced tools that can identify and block phishing attempts, even when legitimate platforms are used.
• Encourage Reporting: Foster a culture where employees feel comfortable reporting suspicious emails or activity without fear of repercussions.
コメント