European companies in sectors such as automotive, chemical, and industrial compound manufacturing faced a major cybersecurity threat recently, as a sophisticated phishing campaign targeted their Microsoft Azure cloud infrastructures. Conducted by a cybercriminal aiming to infiltrate these systems, the campaign involved around 20,000 phishing emails sent to employees of various firms. These emails, which peaked in June 2024, imitated DocuSign requests and contained either a DocuSign-enabled PDF or an embedded HTML link. Clicking these links diverted victims to malicious HubSpot Free Form Builder pages.
The phishing emails were meticulously crafted to appear legitimate, leading unsuspecting victims to enter their credentials on spoofed Microsoft Outlook Web App login pages. Researchers from Palo Alto Networks’ Unit 42 discovered that 17 active Free Forms were redirecting victims to these malicious pages, where their credentials were harvested. The attackers then attempted to use these credentials to access victims’ Microsoft Azure accounts and infrastructure. Further investigations revealed that the same hosting infrastructure was employed across multiple phishing operations and for accessing compromised Azure accounts, suggesting that the threat actor owned the server rather than rented it.
To ensure persistent access, the attacker utilized VPN proxies to simulate login attempts from the victims’ countries. Additionally, they added new devices to compromised accounts, increasing the likelihood of remaining undetected. This methodical approach helped the threat actor evade detection and maintain access to sensitive information within the affected firms. The success of the campaign in obtaining credentials and attempting account takeovers underscores the urgent need for enhanced cybersecurity measures and vigilance among the targeted sectors.
To counter such sophisticated phishing schemes, European firms are taking several steps to bolster their cybersecurity defenses. These measures include implementing multi-factor authentication (MFA) to add an extra layer of security to login processes, and conducting regular security awareness training for employees to recognize and report phishing attempts swiftly. Organizations are also investing in advanced threat detection systems that can identify and mitigate malicious activities before they cause significant harm.
The detailed analysis conducted by Unit 42 underscores the growing threat landscape and the evolving strategies employed by cybercriminals to compromise sensitive information. The key takeaway from this incident is the critical importance of robust cybersecurity protocols and proactive measures to thwart such attacks and safeguard organizational assets. As cybercriminals continue to refine their techniques, it becomes increasingly essential for companies to stay vigilant and update their security practices to counter these ever-evolving threats.