Type
Campaign
Actors
Unknown
Pub. date
December 18, 2024
Initial access
End-user compromise
Impact
Unknown
Observed techniques
Create new cloud userCredential theftValid creds abuseCloud account password resetMFA enrollment
Observed tools
HubSpot Free Form Builder
References
https://unit42.paloaltonetworks.com/european-phishing-campaign/
Status
Finalized
Last edited
Jan 8, 2025 1:28 PM
In June 2024, Unit 42 researchers identified a phishing campaign targeting approximately 20,000 users in European automotive, chemical, and industrial compound manufacturing sectors, particularly in Germany and the UK. The attackers employed fake forms created with HubSpot's Free Form Builder and malicious PDFs mimicking DocuSign documents to harvest account credentials and potentially take over victims' Microsoft Azure cloud infrastructure. The campaign remained active as of September 2024. Collaboration with HubSpot and DocuSign confirmed that their platforms were not compromised during these attacks.