Evalian’s Security Operations Centre has uncovered an active, sophisticated phishing campaign targeting HubSpot customers, combining business email compromise (BEC) tactics with website compromise to distribute a credential-stealing malware to unsuspecting users.
The multi-layered attack demonstrates how modern threat actors are evolving their techniques to bypass traditional email security controls.
The phishing campaign employs a deceptive approach that leverages both compromised legitimate infrastructure and spoofed communications.
Attackers sent emails impersonating HubSpot, urging recipients to verify their accounts due to unusual unsubscribe activity.
What makes this attack particularly noteworthy is that the URLs within the email body were not malicious instead, the threat actors embedded a phishing URL directly into the sender’s display name, a technique designed to evade email security gateways that typically focus on link analysis rather than sender metadata scrutiny.
The sophistication extends further through the use of business email compromise to control a legitimate email address, which attackers then leveraged through MailChimp, a popular email marketing platform, to distribute the campaign at scale.
This approach allowed the phishing email to bypass secure email gateways due to the trusted reputation of both the compromised domain and MailChimp’s infrastructure.
Credential Stealer Infrastructure
Investigation into the malicious infrastructure revealed that a legitimate website, canvthis[.]com, had been compromised and configured to redirect users to a credential stealer hosted at hxxps://hubspot-campaigns[.]com/login.
The fake login page is visually convincing, closely mimicking the genuine HubSpot login portal. When users entered credentials, the information was transmitted to a login.php file on infrastructure hosted in Saint Petersburg, Russia.
The hosting infrastructure traces back to Proton66 OOO (ASN AS198953), a Russian bulletproof hosting service with a well-documented history of facilitating phishing campaigns.
OSINT analysis revealed that this same IP address has been linked to multiple other attempted phishing campaigns, indicating infrastructure reuse across different threat actors or campaigns.
The compromised server exhibits characteristics typical of hastily deployed phishing infrastructure.
Hosted on a Plesk-managed virtual private server with an auto-generated hostname (*.plesk[.]page), the system exposes a complete mail stack including Postfix and Dovecot, alongside publicly accessible Plesk administrative panels.
The infrastructure uses self-issued TLS certificates and maintains exposed SMTP, IMAP, and submission services with legacy authentication methods.
Port scanning reveals a vast attack surface, including DNS (53), SSH (22), HTTP/HTTPS (80/443), and multiple Plesk interfaces (8443, 8880).
This campaign underscores the limitations of relying solely on email authentication protocols. While SPF, DKIM, and DMARC prevent message forgery at the SMTP level, they do not guarantee message safety.
This over-exposed configuration is characteristic of generic VPS templates commonly abused for short-lived phishing campaigns, enabling rapid deployment of phishing pages and quick infrastructure rotation.
Implications for Email Security
Threat actors increasingly exploit legitimate third-party email services like MailChimp, SendGrid, and Salesforce, bypassing authentication checks by abusing trusted platforms.
For security operations teams, the attack highlights the need to move beyond simple domain blocking.
Effective detection requires hunting for infrastructure patterns, monitoring cloud email providers, analyzing TLS artifacts, and implementing user education programs that encourage skepticism toward even polished communications.
The campaign represents a significant evolution in phishing sophistication, combining brand impersonation with infrastructure-as-a-service to scale attacks efficiently while remaining ahead of basic defenses.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.