Unit 42 of Palo Alto Networks has identified a phishing campaign aimed at European companies to steal account credentials and compromise their Microsoft Azure cloud infrastructure. This campaign primarily utilized the HubSpot Free Form Builder service, with reported peaks occurring in June 2024. The analysis unveiled 33 indicators of compromise, including domains and IP addresses, leading to the discovery of numerous additional connected artifacts. Affected: European companies, Microsoft Azure
Keypoints :
- Unit 42 reports a phishing campaign targeting European firms.
- The campaign aims to harvest account credentials for Microsoft Azure infrastructure theft.
- Peak phishing attempts were noted in June 2024 using HubSpot Free Form Builder.
- 33 indicators of compromise (IoCs) were identified: 16 domains and 17 IP addresses.
- Several legitimate domains were excluded from the IoC list.
- A total of 16 email-connected domains and 185 additional IP-connected domains were discovered.
- The IoCs were primarily registered in the U.S., with others in Pakistan and Spain.
- First domain resolution dates for IoCs range from 2011 to 2024, with most created in 2024.
- Historical DNS resolutions for the domains totaled 1,432.
- Geolocation of IoCs showed them to be tied to five countries, notably the Netherlands and the U.S.
MITRE Techniques :
- Phishing (T1566) β Attackers used phishing emails to target employees of European companies.
- Credential Dumping (T1003) β The goal was to obtain account credentials from victims.
- Exploitation of Web Services (T1102) β The campaign leveraged a legitimate web service (HubSpot) to carry out phishing.
Indicator of Compromise :
- [Domain] cyptech[.]com[.]au
- [Domain] espersonal[.]org
- [Domain] vigaspino[.]com
- [Domain] qeanonsop[.]xyz
- [IP Address] 144[.]217[.]158[.]133
Full Story: https://circleid.com/posts/dns-insights-on-a-free-form-builder-service-phishing-campaign