An active phishing campaign is currently targeting HubSpot users through a sophisticated combination of social engineering and infrastructure compromise.
The attack leverages business email compromise tactics, paired with website hijacking, to deliver credential-stealing malware to unsuspecting marketing professionals and business teams that rely on the platform.
The campaign begins with carefully crafted phishing emails that appear to come from legitimate business accounts.
These messages urge recipients to log into their HubSpot accounts to review marketing campaigns, citing an unusual spike in unsubscribes as the reason for immediate action.
The emails use MailChimp, a trusted email marketing platform, to distribute the attack at scale, ensuring messages pass through secure email gateways because of the platform’s reputation.
Evalian researchers noted that phishing emails use a deceptive technique: embedding malicious URLs in the sender’s display name rather than in the email body.
This approach successfully bypasses many email security controls, which typically scan message content but overlook the sender field.
.webp "Hackers Targeting HubSpot Users in Targeted Phishing Attack 3")
Combined with the compromised legitimate business domain, the emails appear authentic to both automated systems and human readers.
Once victims click the embedded URL, they are redirected from a compromised website to a convincing fake HubSpot login portal hosted on Proton66 OOO infrastructure, a Russian bulletproof hosting provider linked to ASN AS 198953.
When users enter their credentials, the login information is transmitted to a login.php file and captured by attackers.
.webp "Hackers Targeting HubSpot Users in Targeted Phishing Attack 4")
The phishing email structure and the replica login page are designed to mirror HubSpot’s legitimate interface.
Hosting infrastructure
The infection mechanism relies on harvesting valid user credentials rather than delivering traditional malware.
Evalian analysts identified that the hosting infrastructure uses a Plesk-managed virtual private server with exposed mail services, including Postfix and Dovecot.
The IP address 193.143.1.220 reveals an unusually broad range of open ports, including SMTP services on ports 25 and 465, IMAP on ports 143 and 993, and multiple Plesk administrative interfaces.
This configuration is typical of infrastructure designed for rapid deployment and rotation of phishing campaigns.
Infrastructure analysis confirmed that the IP is associated with multiple other phishing attempts, indicating a pattern of organized attack activity.
The exposed Plesk control panels allow attackers to quickly deploy new phishing pages, manage compromised email accounts, and rotate infrastructure to evade detection.
Organizations must implement layered security measures that extend beyond standard email authentication protocols to protect against evolving threats.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
