Full Report
A phishing campaign targeting European companies used fake forms made with HubSpot's Free Form Builder, leading to credential harvesting and Azure account takeover. The post Effective Phishing Campaign Targeting European Companies and Organizations appeared first on Unit 42.
Analysis Summary
# Incident Report: HubSpot Phishing Campaign Targeting European Companies
## Executive Summary
A targeted phishing campaign successfully compromised European organizations by leveraging HubSpot's Free Form Builder to create convincing fake login pages. This campaign resulted in the harvesting of credentials, leading to the takeover of associated Azure/M365 accounts and subsequent data access. The response involved identifying the malicious infrastructure and hardening authentication mechanisms.
## Incident Details
- **Discovery Date:** Not explicitly detailed in the context (Assumed shortly after the attack began)
- **Incident Date:** Not explicitly detailed in the context (During the phishing campaign execution)
- **Affected Organization:** European companies/organizations
- **Sector:** General Business/Unspecified (Targeted across various sectors)
- **Geography:** Europe
## Timeline of Events
### Initial Access
- **Date/Time:** Not explicitly detailed
- **Vector:** Phishing email
- **Details:** Attackers sent emails containing links to malicious landing pages disguised as legitimate forms, hosted using HubSpot's Free Form Builder functionality.
### Lateral Movement
- Based on M365/Azure takeover, lateral movement would involve accessing cloud resources authenticated via stolen credentials.
### Data Exfiltration/Impact
- Successful credential harvesting leading to the compromise and takeover of Azure/M365 accounts.
### Detection & Response
- Detection likely occurred when compromised users or security teams noticed anomalous login activity or suspicious access attempts on Azure/M365 services.
- Response would involve standard steps for credential compromise, including resetting passwords and potentially multifactor authentication (MFA) enforcement.
## Attack Methodology
- **Initial Access:** Phishing via email.
- **Persistence:** Potentially established through access tokens or configuration changes within the compromised Azure environment post-takeover.
- **Privilege Escalation:** Not explicitly detailed, but a full account takeover implies sufficient access was gained.
- **Defense Evasion:** Utilizing a legitimate, trusted third-party service (HubSpot) to host the malicious content helped evade URL reputation checks.
- **Credential Access:** Harvesting credentials entered into the convincing fake forms.
- **Discovery:** Post-compromise reconnaissance within the cloud environment.
- **Lateral Movement:** Moving between cloud services authenticated via the compromised Azure/M365 accounts.
- **Collection:** Gathering sensitive data stored within the cloud environment.
- **Exfiltration:** Transfer of collected data outside the organizational boundary (Inferred).
- **Impact:** Unauthorized access and potential theft of data housed in cloud services.
## Impact Assessment
- **Financial:** Potential costs associated with incident response, remediation, and regulatory fines (Not specified).
- **Data Breach:** Compromise of user credentials, leading to potential exposure of any data accessible via the compromised Azure/M365 accounts.
- **Operational:** Disruption due to account takeovers and necessary remediation steps.
- **Reputational:** Damage related to the security failure and data exposure.
## Indicators of Compromise
- **Network indicators:** Malicious URLs linking to HubSpot-hosted forms (Defanged: `hxxps://[subdomain].hubspotpagebuilder[.]com/form-name`).
- **File indicators:** N/A (Primarily identity-based attack).
- **Behavioral indicators:** Anomalous logins to Azure/M365 from unusual geographies or service access patterns corresponding to the compromised accounts.
## Response Actions
- **Containment measures:** Immediately disabling or forcing password resets for all compromised user accounts; blocking access from suspicious IPs associated with the initial login attempt.
- **Eradication steps:** Reviewing Azure/M365 access rules, audit logs, and any third-party applications granted access by the compromised accounts to remove backdoors.
- **Recovery actions:** Restoring normal operations after ensuring all attacker access vectors have been closed and MFA is enforced.
## Lessons Learned
- Relying solely on URL reputation checks is insufficient when attackers abuse trusted third-party domains (like HubSpot) for hosting payloads.
- The psychological effectiveness of using familiar branding and legitimate platforms for phishing landing pages remains high.
## Recommendations
- Implement strict **MFA** across all cloud access, especially for administrative or shared accounts.
- Conduct **Security Awareness Training** focused specifically on identifying phishing that utilizes legitimate third-party brand names or trusted services in the URL structure.
- Monitor **newly created subdomains or pages** on trusted vendors (like HubSpot, Microsoft SharePoint, etc.) that host login prompts for sudden shifts in traffic patterns or content, indicating potential misuse.