20,000 European Users Are the Target of HubPhish's Credential Theft Abuse of HubSpot Tools

Security analysts have uncovered a sophisticated phishing operation dubbed "HubPhish" by Palo Alto Networks Unit 42, which targeted European industrial companies through abuse of HubSpot's services. The campaign affected approximately 20,000 European businesses, primarily in the industrial, chemical, and automotive sectors.

20,000 European Users Are the Target of HubPhish's Credential Theft Abuse of HubSpot Tools

Security analysts have uncovered a sophisticated phishing operation dubbed "HubPhish" by Palo Alto Networks Unit 42, which targeted European industrial companies through abuse of HubSpot's services. The campaign affected approximately 20,000 European businesses, primarily in the industrial, chemical, and automotive sectors.

According to researchers William Gamazo, Ohad Benyamin Maimon, and Shachar Roitman in their report to The Hacker News, the campaign reached its height in June 2024. The attackers leveraged HubSpot's Free Form Builder service to create deceptive forms. Their methodology involved sending DocuSign-themed phishing emails that directed victims to counterfeit Office 365 Outlook Web App login interfaces through HubSpot Free Form Builder links, enabling credential theft.

Unit 42 clarified that the attackers didn't compromise HubSpot's infrastructure or customer platform. Instead, they identified 17 active Free Forms that redirected victims to attacker-controlled domains, with many using the ".buzz" top-level domain.

The infrastructure supporting this campaign utilized Bulletproof VPS hosting services. After successfully compromising accounts, the attackers would register a new device to maintain persistent access to the victim's system.

Unit 42 explained that the campaign specifically targeted Microsoft Azure cloud infrastructure through endpoint-based credential harvesting, followed by lateral movement to cloud resources. In related developments, threat actors have been observed impersonating SharePoint in emails distributing XLoader malware, an evolution of the Formbook malware family.

The phishing landscape continues to evolve with innovative bypass techniques for email security measures. Recent trends include:

  • Impersonation of email security vendors (Proofpoint, Barracuda Networks, Mimecast, Virtru)
  • Exploitation of legitimate Google services (Calendar, Drawings)
  • Removal of URL protocols from embedded links
  • Use of calendar (.ICS) attachments with Google Forms/Drawings links
  • Deployment of fake reCAPTCHA or support buttons leading to fraudulent pages
  • Calendar-based meeting invites containing malicious links

To protect against Google Calendar-based attacks, users should activate the "known senders" feature in their calendar settings.