Phishing campaign leading to Azure account takeover

Type

Campaign

Actors

❓Unknown

Pub. date

December 18, 2024

Initial access

End-user compromise

Impact

Unknown

Observed techniques

Create new cloud user Credential theft Valid creds abuse Cloud account password reset MFA enrollment

Observed tools

HubSpot Free Form Builder

References

https://unit42.paloaltonetworks.com/european-phishing-campaign/

Status

Finalized

Last edited

Jan 8, 2025 1:28 PM

In June 2024, Unit 42 researchers identified a phishing campaign targeting approximately 20,000 users in European automotive, chemical, and industrial compound manufacturing sectors, particularly in Germany and the UK. The attackers employed fake forms created with HubSpot's Free Form Builder and malicious PDFs mimicking DocuSign documents to harvest account credentials and potentially take over victims' Microsoft Azure cloud infrastructure. The campaign remained active as of September 2024. Collaboration with HubSpot and DocuSign confirmed that their platforms were not compromised during these attacks.