Daily Post 3007
20,000 MICROSOFT AZURE ACCOUNTS TARGETED
Cyber security is a cat-and-mouse game. In this game a hacker tries to look real or be completely hidden from the victim and if possible, anybody. The user and more so the professional ones take care of basic security controls and at the enterprise lots is being done, given threat perception, regular controls are in place and lots of preventive action is also taken based on the threat perceptions, both general and specific. Given this backdrop there are efforts at legitimate service abuse, as threat actors constantly, explore new avenues to bypass security tools.
In this context a HubSpot abuse has been unraveled by Palo Alto Networks’ team of researchers. HubSpot is a legitimate customer relationship management platform used for a variety of the activities of the company. It relates to a phishing campaign targeting automotive, chemical and industrial manufacturing companies in Germany and UK abusing HubSpot to steal Microsoft Account credentials. Based on the details provided by researchers, the campaign started in June 2024 and remained active until at least September 2024 and were able to compromise approximately 20,000 accounts.
Credential harvesting is what they were indulging in. Credential harvesting was being done by the threat actors using HubSpot Free Form Builder links and DocuSign-mimicking PDFs to redirect victims to credential harvesting pages. It was successfully done across various European companies. The Form Builder allows for the creation of custom online forms to capture information from website visitors. What was being done in the phishing campaign tracked by Unit 42. The threat actors exploited HubSpot Form Builder to create deceptive forms, at least 17, to lure victims into providing sensitive credentials in the next step.
HubSpot was being used as a conduit, with their infrastructure technically not being compromised. It was used as an intermediate step to lead the victims to attacker-controlled sites on ‘. buzz’ domains. On the other end to receive the victim were Microsoft Outlook Web App and Azure login pages mimicked. What is interesting to note is that as the emails contained links to a legitimate service (HubSpot), they remained unflagged by the email security tools, and they would be most likely to reach target inboxes. The emails connected to this campaign at times failed on a couple of checks too. Given this dubious game in play, there has been a tug-of-war to gain or regain control of the account.
THE FAST-EVOLVING CYBER CRIME TOOLKIT HAS SOMETHING UP ITS SLEEVES CONSISTENTLY, AT AN ASTONISHING PACE.
Sanjay Sahay
.