Full Report
In June 2024, Unit 42 researchers identified a phishing campaign targeting approximately 20,000 users in European automotive, chemical, and industrial compound manufacturing sectors, particularly in Germany and the UK. The attackers employed fake forms created with HubSpot's F...
Analysis Summary
# Incident Report: European Phishing Campaign Targeting Cloud Credentials
## Executive Summary
In June 2024, a large-scale phishing campaign, active through September 2024, targeted approximately 20,000 users across European industrial sectors (automotive, chemical, manufacturing) in Germany and the UK. Attackers used fake forms hosted via HubSpot's Free Form Builder and malicious PDFs mimicking DocuSign to steal credentials, aiming for potential takeover of Microsoft Azure cloud infrastructure. Response efforts included identifying the campaign and confirming the underlying platforms (HubSpot and DocuSign) were not breached.
## Incident Details
- Discovery Date: June 2024 (Identified by Unit 42 researchers)
- Incident Date: June 2024 – September 2024 (Campaign duration)
- Affected Organization: Multiple organizations across target sectors (Not individually disclosed)
- Sector: Automotive, Chemical, Industrial Compound Manufacturing
- Geography: Germany and the UK
## Timeline of Events
### Initial Access
- Date/Time: Beginning June 2024
- Vector: Phishing
- Details: Attackers used fake forms created with **HubSpot's Free Form Builder** and malicious PDFs **mimicking DocuSign documents** to trick users into submitting account credentials.
### Lateral Movement
- Details: Specific lateral movement is not detailed, but the ultimate goal was the **takeover of victims' Microsoft Azure cloud infrastructure**.
### Data Exfiltration/Impact
- Details: Primary impact was **credential harvesting**, leading to the potential for abuse of valid credentials, creation of new cloud users, password resets, and MFA enrollment in target Azure environments.
### Detection & Response
- Date/Time: Identified starting June 2024, active through September 2024.
- Details: Unit 42 researchers identified the campaign. Collaboration confirmed that HubSpot and DocuSign platforms were **not compromised**.
## Attack Methodology
- Initial Access: Phishing links distributed via malicious PDFs and fake forms.
- Persistence: Implied through methods to maintain access post-credential theft, such as MFA enrollment or establishing new cloud user accounts.
- Privilege Escalation: Potential escalation via **Create new cloud user** in Azure environments.
- Defense Evasion: Use of seemingly legitimate services (HubSpot) to host phishing content.
- Credential Access: Harvesting credentials through fake credential and document signing portals.
- Discovery: Implied reconnaissance to identify appropriate targets within the manufacturing sectors.
- Lateral Movement: Abuse of **Valid creds abuse** within Azure environments.
- Collection: Gathering credentials sufficient for cloud management access.
- Exfiltration: Not explicitly detailed, but implied access/control in Azure infrastructure.
- Impact: Unauthorized configuration changes, user creation, and account takeover (ATO) in Azure.
## Impact Assessment
- Financial: Unknown (No public disclosure)
- Data Breach: User credentials harvested; potential impact on cloud data due to Azure account takeover.
- Operational: Risk of significant operational disruption due to potential compromise of industrial or manufacturing cloud infrastructure.
- Reputational: Potential reputational damage for targeted organizations.
## Indicators of Compromise
*(Note: No technical IoCs, such as specific URLs or hashes, were provided in the source text.)*
- Network Indicators: Unknown (Related to customized HubSpot landing pages)
- File Indicators: Malicious PDFs mimicking DocuSign.
- Behavioral Indicators: Unusual MFA enrollment, password resets, or creation of new administrative users in targeted Azure tenants utilizing previously compromised credentials.
## Response Actions
- Containment: Unknown specific steps taken by victims.
- Eradication: Implied remediation activities such as forced password resets, reviewing Azure activity logs, and removing newly created rogue cloud users.
- Recovery: Restoring integrity of Azure environments and re-securing user accounts.
## Lessons Learned
- Attacks are increasingly leveraging legitimate, trusted third-party services (like HubSpot’s Free Form Builder) to host malicious content, bypassing traditional email gateway filters.
- Cloud Service Providers (CSPs) are a major target, emphasizing the need for strong cloud security posture management alongside endpoint security.
- Attackers utilized a specific thematic lure (DocuSign documents) to increase conversion rates.
## Recommendations
- Implement mandatory Multi-Factor Authentication (MFA) for all cloud/SaaS access, especially administrative or high-value accounts.
- Conduct targeted phishing awareness training for employees in high-value sectors (manufacturing/industrial), focusing on social engineering tactics that leverage document signing services.
- Implement strict Azure Conditional Access policies to limit credential abuse, especially regarding changes like new user creation or MFA modification.
- Monitor for behavioral anomalies in cloud environments, such as immediate password resets or rapid creation of new users following a single user credential compromise.