Full Report
Cybersecurity researchers have disclosed a new phishing campaign that has targeted European companies with an aim to harvest account credentials and take control of the victims' Microsoft Azure cloud infrastructure. The campaign has been codenamed HubPhish by Palo Alto Networks Unit 42 owing to the abuse of HubSpot tools in the attack chain. Targets include at least 20,000 automotive, chemical,
Analysis Summary
# Incident Report: HubPhish Campaign Exploits HubSpot for Azure Credential Theft
## Executive Summary
A large-scale phishing campaign, codenamed HubPhish by Palo Alto Networks Unit 42, targeted approximately 20,000 users in European automotive, chemical, and industrial manufacturing sectors. The attack leveraged the HubSpot Free Form Builder service to host malicious links, ultimately stealing user credentials and leading to the compromise of Microsoft Azure cloud infrastructure. Response activities involved identification of the malicious infrastructure and analysis of the account takeover techniques used.
## Incident Details
- Discovery Date: Not explicitly stated, but research/disclosure was reported around December 18, 2024.
- Incident Date: Phishing attempts peaked in June 2024.
- Affected Organization: Target organizations in Europe (Automotive, Chemical, Industrial Manufacturing). Estimated 20,000 users targeted.
- Sector: Manufacturing, Automotive, Chemical.
- Geography: Europe.
## Timeline of Events
### Initial Access
- Date/Time: Peaked June 2024.
- Vector: Phishing emails utilizing Docusign-themed lures.
- Details: Emails urged recipients to view a document, redirecting them to malicious links created using the **HubSpot Free Form Builder** service.
### Lateral Movement
- Details: Upon gaining access to victim accounts, the threat actor performed **lateral movement operations to the compromised Microsoft Azure cloud infrastructure**.
### Data Exfiltration/Impact
- Details: The primary immediate impact was **credential harvesting** (specifically targeting Office 365 Outlook Web App logins). Successful credential theft allowed the attacker to access and take over the victim's **Microsoft Azure cloud infrastructure**.
### Detection & Response
- Details: Disclosed by Palo Alto Networks Unit 42 following research into the campaign. Response efforts focused on identifying the infrastructure used by the threat actor.
## Attack Methodology
- Initial Access: Phishing via Docusign lures leading to malicious links hosted on HubSpot Free Form Builder.
- Persistence: Threat actor **added a new device** under their control to the compromised account.
- Privilege Escalation: Not explicitly detailed, but successful account takeover implies escalation to cloud infrastructure control (Azure).
- Defense Evasion: Hosting phishing links via legitimate, third-party services (HubSpot) likely aided evasion.
- Credential Access: Harvesting credentials via a fake Office 365 Outlook Web App login page.
- Discovery: Not documented in detail for internal network reconnaissance.
- Lateral Movement: Moving from the compromised endpoint account into the associated **Microsoft Azure tenant**.
- Collection: Harvesting credentials intended for cloud access.
- Exfiltration: Not explicitly detailed, but access to Azure tenants implies potential data access/exfiltration capabilities.
- Impact: Account takeover and cloud infrastructure control.
## Impact Assessment
- Financial: Not specified.
- Data Breach: Credentials for Office 365 and subsequent control over Microsoft Azure tenants.
- Operational: Potential disruption to cloud operations dependent on the compromised Azure tenants.
- Reputational: Reputational risk due to exposure via a sophisticated, widely targeted campaign.
## Indicators of Compromise
- Network Indicators: Malicious domains were used to host phishing pages, with a significant number hosted on the **.buzz TLD**. Infrastructure was also linked to **Bulletproof VPS host**.
- File Indicators: Not specified beyond the lure document/redirection mechanism.
- Behavioral Indicators: Use of HubSpot Free Form Builder to host redirection links; addition of unauthorized devices to compromised accounts for persistence.
## Response Actions
- Containment measures: Not explicitly detailed, but likely involved communication with HubSpot and domain registrars regarding the infrastructure.
- Eradication steps: Likely involved removing unauthorized devices added to victim accounts and resetting compromised credentials.
- Recovery actions: Restoring control over compromised Microsoft Azure tenants.
## Lessons Learned
- Legitimate third-party tools (like HubSpot's Free Form Builder) can be effectively abused by threat actors as a mechanism for hosting phishing infrastructure, bypassing standard security filters focused on traditional web hosting.
- Attackers are increasingly chaining credential theft directly into cloud compromise (Azure takeover).
## Recommendations
- Implement strict multi-factor authentication (MFA) across all critical services, especially Office 365 and Azure access, to mitigate the impact of harvested credentials.
- Enhance email security monitoring to flag redirects originating from known third-party services (like HubSpot forms) when the final destination is an external, unvetted login page.
- Regularly audit cloud environments (Azure) for unauthorized devices or persistence mechanisms added to user or service accounts.