The campaign's phishing attempts peaked in June 2024, with fake forms created using the HubSpot Free Form Builder service, indicating a sophisticated use of legitimate tools.
Threat actors directed the phishing campaign to target the victim's Microsoft Azure cloud infrastructure via credential harvesting attacks on the phishing victim's endpoint computer.
Unit 42 said it identified no less than 17 working Free Forms used to redirect victims to different threat actor-controlled domains, showcasing extensive planning in this attack.
The phishing campaign was hosted across various services, including Bulletproof VPS host, used for accessing compromised Microsoft Azure tenants during the account takeover operation.
Collection
[
|
...
]