A sophisticated phishing campaign targeting European companies. The attack, which peaked in June 2024, aims to harvest Microsoft Azure cloud credentials and compromise victims’ cloud infrastructure.
The campaign primarily targets automotive, chemical, and industrial compound manufacturing companies in Germany and the UK. Researchers estimate that approximately 20,000 users across various European organizations have been affected.
Palo Alto noted that the phishing messages included either a PDF file enabled with Docusign as an attachment or an HTML link that led victims to harmful HubSpot Free Form Builder links embedded within the phishing emails.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
The threat actors employ a multi-pronged approach to lure victims:
1. Malicious PDF attachments: Emails contain Docusign-enabled PDF files with company-specific names, enticing users to click on a “View Document” button.
2. Embedded HTML links: Some emails include links that direct victims to fraudulent websites.
3. HubSpot Free Form Builder: The attackers leverage this legitimate service to create convincing phishing forms.
“Several malicious PDF attachments used the target organization’s name in the file name (i.e., CompanyName.pdf). Figure 2 shows an example of a malicious PDF file mimicking a Docusign document,” Palo Alto noted.
Once a user interacts with these malicious elements, they are redirected to a credential harvesting page designed to mimic Microsoft Azure login portals.
The phishing infrastructure is highly sophisticated, utilizing multiple levels of redirection and domain names that closely resemble legitimate company websites. For instance, the attackers use top-level domains like “.buzz” to create convincing URLs (e.g., http://www.acmeinc[.]buzz).
Unit 42 researchers identified at least 17 different HubSpot Free Form URLs used in this campaign, highlighting the scale of the operation. The attackers also employed “Bulletproof” VPS hosts, known for their anonymity and resistance to takedown requests.
What sets this campaign apart is its persistence techniques. After compromising an account, the attackers add new devices to the victim’s Azure account, allowing them to maintain access even after password resets.
To evade detection, the threat actors use VPN proxies to make their login attempts appear to originate from the same country as the victim organization. They also employ unusual user-agent strings during connection attempts.
Organizations are advised to implement the following protective measures:
- Enable multi-factor authentication for all cloud accounts.
- Regularly review and audit device additions to user accounts.
- Implement continuous access evaluation for real-time session management.
- Disable “Self-Service Tenant Creation” to prevent potential data exfiltration.
- Train employees to identify phishing attempts, especially those with a sense of urgency.
- Utilize advanced email filtering and authentication protocols (SPF, DKIM, DMARC).
As the campaign remains active, organizations must stay vigilant and prioritize cloud security. The sophisticated nature of this attack serves as a stark reminder of the evolving threat landscape facing businesses relying on cloud infrastructure.
Companies suspecting compromise should immediately disable affected accounts, revoke active sessions, and contact cybersecurity experts for thorough investigation and remediation.
The incident underscores the critical need for robust cloud security measures and ongoing employee education to combat increasingly sophisticated phishing tactics.