Cybersecurity experts have uncovered a phishing campaign, dubbed HubPhish, that has targeted over 20,000 users in Europe. The attackers aim to steal login credentials and infiltrate Microsoft Azure cloud systems. This operation focused on industries like automotive, chemical, and industrial manufacturing.
How HubPhish Works
Researchers at Palo Alto Networks Unit 42 revealed that the attackers took advantage of HubSpot’s Free Form Builder to create deceptive forms. During its peak in June 2024, the campaign sent phishing emails disguised as Docusign requests, urging recipients to view documents.
Clicking the links redirected victims to fake Office 365 login pages designed to collect their credentials. Investigators found at least 17 active forms tied to domains under the attackers’ control, many using the “.buzz” domain.
Sustaining Access and Moving Laterally
After stealing credentials, the attackers added their own devices to victims’ accounts. This allowed them to maintain access and move within Microsoft Azure environments. They also used Bulletproof VPS hosting to manage their operation.
Broader Trends in Phishing
HubPhish isn’t unique. Attackers increasingly exploit legitimate platforms like Google Calendar and Google Drawings to bypass email filters. Common tactics include:
- Sending emails with calendar (.ICS) attachments.
- Embedding links that direct users to fake pages.
- Masking malicious links as reCAPTCHA challenges or help buttons.
Additionally, some campaigns impersonate trusted email security brands such as Proofpoint and Barracuda Networks to appear credible.
Staying Safe
To counter these threats, individuals and organizations should:
- Enable Multi-Factor Authentication (MFA): This adds a critical security layer.
- Adjust Calendar Settings: Use “known senders” settings in Google Calendar to block unwanted invites.
- Train Employees: Teach staff how to identify phishing attempts.
- Monitor Cloud Systems: Regularly review accounts for unusual activity or unauthorized devices.
Phishing attacks are evolving, but simple precautions can significantly reduce risks. Campaigns like HubPhish highlight the need for vigilance and proactive measures to secure online environments.
Martin Baker
Martin Baker, Managing Editor at Decoded.cc, harnesses a decade of digital publishing expertise to craft engaging content around technology, data, and culture. He leads cross-functional teams, enforces editorial excellence, and transforms complex ideas into accessible narratives—fueling Decoded.cc’s growth and impact.
Leave a Reply