Effective Phishing Campaign Targeting European Companies and Institutions

Dec. 18, 2024, 3:08 p.m.

Description

A sophisticated phishing operation targeting European automotive, chemical, and industrial manufacturing companies has been uncovered. The campaign, which peaked in June 2024, used HubSpot Free Form Builder and Docusign-enabled PDFs to harvest account credentials and infiltrate Microsoft Azure cloud infrastructures. Approximately 20,000 users were targeted across various European organizations. The attackers employed multiple redirection techniques, custom user-agent strings, and Bulletproof VPS hosts to evade detection. Once access was gained, the threat actors attempted to maintain persistence by adding new devices to compromised accounts. The campaign highlights the ongoing threat of targeted phishing attacks against corporate cloud infrastructures.

External References

https://unit42.paloaltonetworks.com/european-phishing-campaign/
https://otx.alienvault.com/pulse/6762de3a1fbb3225d714ce8e
Tags
phishing
persistence
credential harvesting
redirection
docusign
2024-12-18
microsoft azure
european companies
hubspot

Date

  • Created: Dec. 18, 2024, 2:37 p.m.
  • Published: Dec. 18, 2024, 2:37 p.m.
  • Modified: Dec. 18, 2024, 3:08 p.m.

Indicators

  • f3f0bf362f7313d87fcfefcd6a80ab0f18bc6c5517d047be186f7b81a979ff91
  • deff0a6fbf88428ddef2ee3c4d857697d341c35110e4c1208717d9cce1897a21
  • b2ca9c6859598255cd92700de1c217a595adb93093a43995c8bb7af94974f067
  • 94.46.246.46
  • 94.156.71.208
  • 91.92.244.131
  • 91.92.242.68
  • 74.119.239.234
  • 49.12.110.250
  • 208.91.198.96
  • 208.115.208.118
  • 188.166.3.116
  • 167.114.27.228
  • 91.92.245.39
  • 144.217.158.133
  • 91.92.253.66
  • www.acmeinc.buzz
  • https://wr43wer3ee.cyptech.com.au/oeeo4/ewi9ew/mnph_term=?/&submissionGuid=50aa078a-fb48-4fec-86df-29f40a680602
  • https://vomc.qeanonsop.xyz/?hh5=IY&username=ian@deloitte.es
  • https://vigaspino.com/2doc5/index.php?submissionGuid=1d51a08d-cf55-4146-8b5b-22caa765ac85
  • https://vigaspino.com/2doc5/index.php?submissionGuid=093410a5-c228-4ddf-890c-861cdc6fe5d8
  • https://technicaldevelopment.rljaccommodationstrust.buzz/?WKg=2Ljv8
  • https://technicaldevelopment.industrialization.buzz/?o0B=RLNT
  • https://purchaseorder.vermeernigeria.buzz/?cKg=C3&submissionGuid=4631b0c9-5e10-4d81-b1d6-4d01045907e7
  • https://purchaseorder.europeanfreightleaders.buzz/?Mt=zqoE&submissionGuid=476f32d0-e667-4a18-830b-f57a2b401fc3
  • https://orderspecification.tekfenconstruction.buzz/?6BI=AmaPH&submissionGuid=e2ce33ea-ee47-4829-882c-592217dea521
  • https://orderconfirmating.symmetric.buzz/?df=ZUvkMN&submissionGuid=e06a1f83-c24e-4106-b415-d2f43a06a048
  • https://espersonal.org/doc0024/index.php?submissionGuid=96a9b82a-55d3-402d-9af4-c2c5361daf5c
  • https://docusharepoint.fundament-advisory.buzz/?3aGw=Nl9
  • https://espersonal.org/doc0024/index.php?submissionGuid=6e59d483-9dc2-48f8-ad5a-c2d2ec8f4569
  • https://docs.doc2rprevn.buzz?username=
  • https://docs.doc2rprevn.buzz/?username=
  • https://asdrfghjk3wr4e5yr6uyjhgb.mhp-hotels.buzz/?Nhv3zM=xI7Kyf
  • https://9qe.daginvusc.com/miUxeH/
  • http://orderconfirmation.dgpropertyconsultants.buzz/
  • wr43wer3ee.cyptech.com.au
  • vomc.qeanonsop.xyz
  • technicaldevelopment.rljaccommodationstrust.buzz
  • technicaldevelopment.industrialization.buzz
  • purchaseorder.vermeernigeria.buzz
  • purchaseorder.europeanfreightleaders.buzz
  • orderspecification.tekfenconstruction.buzz
  • orderconfirmation.dgpropertyconsultants.buzz
  • orderconfirmating.symmetric.buzz
  • docusharepoint.fundament-advisory.buzz
  • asdrfghjk3wr4e5yr6uyjhgb.mhp-hotels.buzz
  • docs.doc2rprevn.buzz
  • 9qe.daginvusc.com
  • vigaspino.com
  • espersonal.org
Download all indicators here!

Attack Patterns

  • TA0001
  • TA0003
  • TA0011
  • T1078.002
  • T1586

Additional Informations

  • Automotive
  • Chemical
  • Manufacturing
  • France
  • Germany
  • United Kingdom of Great Britain and Northern Ireland