Fake DocuSign and HubSpot phishing emails target 20,000 Microsoft Azure accounts
Crooks are targeting automotive, chemical, and other industries, in the UK and Europe
- Unit 42 says phishing campaign targeted automotive, chemical, and industrial compound manufacturing industries
- More than 20,000 victims were successfully targeted
- The campaign has been disrupted, but users should still be on their guard
Hackers of potentially Russian or Ukrainian origin have been targeting UK and EU organizations in the automotive, chemical, and industrial compound manufacturing industries with advanced phishing threats, experts have warned.
A report from Unit 42, Palo Alto Networks’ cybersecurity arm, claims to have observed a campaign that started in June 2024, and was still active as of September. The goal of the campaign was to grab people’s Microsoft Azure cloud accounts, and steal any sensitive information found there.
The crooks would either send a Docusign-enabled PDF file, or an embedded HTML link, which would redirect the victims to a HubSpot Free Form Builder link. That link would usually invite the reader to “View Document on Microsoft Secured Cloud,” where the victims would be asked to provide their Microsoft Azure login credentials.
Bulletproof hosting
The majority of the victims are located in Europe (mostly Germany), and the UK. Roughly 20,000 users were “successfully targeted”, the researchers said, adding that at least in a few cases, the victims provided the attackers with login credentials: "We verified that the phishing campaign did make several attempts to connect to the victims' Microsoft Azure cloud infrastructure," the researchers said in their writeup.
Besides using custom phishing lures, with organization-specific branding and email formats, the crooks also went for targeted redirections using URLs designed to look like the victim organization’s domain. Furthermore, the miscreants used bulletproof VPS hosts, and reused their phishing infrastructure for multiple operations. Most of the phishing pages were hosted on .buzz domains.
At press time, most of the attack infrastructure was pulled offline - Unit 42 said it worked together with HubSpot to address the abuse of the platform, and engaged with compromised organizations to provide recovery resources. Since most phishing servers are now offline, the researchers said the disruption efforts were effective.
Via The Register
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
You might also like
- Popular astrology app leak exposes data on millions of users — find out if you're affected
- Here's a list of the best antivirus
- These are the best endpoint protection tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.