A recent investigation by Unit 42 has unveiled a significant phishing campaign targeting European companies, particularly in the automotive and chemical sectors. This operation, which peaked in June 2024, aimed to harvest user credentials and gain access to Microsoft Azure cloud infrastructures. Approximately 20,000 users across various organizations in Germany and the UK were affected by this sophisticated scheme.
The phishing attempts employed fake forms created via HubSpot’s Free Form Builder, which were sent through emails containing either malicious PDF attachments or embedded HTML links. These links directed victims to fraudulent pages designed to mimic legitimate Microsoft Azure login interfaces. Notably, the attackers crafted these emails with urgency-inducing language to pressure recipients into acting quickly, a common tactic in phishing schemes.
Unit 42’s analysis confirmed that while HubSpot’s infrastructure was not compromised, the threat actors exploited its services to facilitate their attacks. The investigation also revealed that the phishing campaign continued to operate well into September 2024, indicating a persistent threat. To combat such threats, Palo Alto Networks offers several protective measures, including Advanced WildFire for malware analysis and Cortex XDR for detecting user and credential-based threats. Organizations are encouraged to remain vigilant and implement robust security protocols to safeguard against these types of cyberattacks.
For those who suspect they may have been compromised, contacting the Unit 42 Incident Response team is advised. This incident highlights the ongoing challenges posed by phishing attacks in the digital landscape, underscoring the need for continuous awareness and proactive defense strategies.