HQ/EMEAFind out how we can help your business
The new HubSpot phishing campaign currently targets multiple industries in the UK and Germany.
Based on reports, the malicious operation uses HubSpot to obtain Microsoft Azure account credentials to target the automotive, chemical, and industrial manufacturing industries in the earlier-mentioned countries.
The researchers revealed that the attackers employ HubSpot Free Form Builder links and PDFs that look like DocuSign documents to redirect users to credential-harvesting pages. Moreover, the threat actors allegedly target about 20,000 people across multiple European companies.
The HubSpot phishing campaign is for credential harvesting.
Initial investigation indicates that the new HubSpot phishing campaign is focused on harvesting information, especially account credentials, since the affected entity is a legal customer relationship management (CRM) platform for various operations.
In addition, this Form Builder tool enables its users to develop unique online forms to collect information from website visitors. Hence, the threat actors used HubSpot Form Builder to generate at least seventeen fake forms to trick victims into supplying sensitive credentials.
Although the HubSpot infrastructure was not compromised, the phishing operators used it as an intermediary step to redirect victims to attacker-controlled sites on ‘.buzz’ domains, which resemble the Azure login pages and Microsoft Outlook Web App.
The attacks also included web pages that impersonated DocuSign’s document management system, French notary offices, and organisation-specific login portals.
Because the emails contain links to actual services like HubSpot, email security tools do not flag them, allowing the threat actors to reach their intended recipients.
Still, the phishing emails linked with this campaign failed the DomainKeys Identified Mail (DKIM), Sender Policy Framework (SPF), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) tests.
On the other hand, when the researchers saw successful assaults, the threat actors employed VPNs to make it appear that they originated in the attacked organisation’s country.
Researchers also discovered a unique Autonomous System Number (ASN) used in the campaign, which can be used to identify threats and specific, uncommon user-agent strings.
This newly discovered malicious activity is another incident in which hackers abuse legitimate services despite the fact that most of the servers that served as the backbone of the phishing campaign have now gone offline.
This discovery shows that threat actors constantly look for new methods to bypass security measures and execute malicious activities.
