- Unit 42 says the phishing campaign targeted the automotive, chemical and industrial composites manufacturing industries.
- More than 20,000 victims were successfully attacked
- The campaign has been discontinued, but users should still be on their guard.
Experts have warned that hackers of potentially Russian or Ukrainian origin have been targeting UK and EU organizations in the automotive, chemical and industrial composites manufacturing industries with advanced phishing threats.
A report from Unit 42, the cybersecurity arm of Palo Alto Networks, claims to have observed a campaign that began in June 2024 and was still active in September. The goal of the campaign was to take over people's Microsoft Azure cloud accounts and steal any sensitive information found there.
The criminals sent a Docusign-compatible PDF file or an embedded HTML link, which would redirect victims to a HubSpot Free Form Builder link. That link would typically invite the reader to “View Document in Microsoft Secure Cloud,” where victims would be asked to provide their Microsoft Azure login credentials.
Bulletproof accommodation
Most of the victims are in Europe (mainly Germany) and the United Kingdom. Approximately 20,000 users were “successfully attacked,” the researchers said, adding that in at least some cases, victims provided attackers with login credentials: “We verified that the phishing campaign made multiple attempts to connect to the Microsoft Azure victims cloud infrastructure,” the researchers said in their article.
In addition to using customized phishing lures, with organization-specific branding and email formats, criminals also opted for targeted redirects using URLs designed to resemble the victim organization's domain. Furthermore, the bad actors used bulletproof VPS hosts and repurposed their phishing infrastructure for multiple operations. Most of the phishing pages were hosted on .buzz domains.
At the time of this publication, most of the attack infrastructure was offline: Unit 42 said it worked alongside HubSpot to address abuse of the platform and engaged with compromised organizations to provide recovery resources. Since most phishing servers are now offline, researchers said the disruption efforts were effective.
Through The Registry
