European companies hit with effective DocuSign-themed phishing emails
A threat actor looking to take over the Microsoft Azure cloud infrastructure of European companies has successfully compromised accounts of multiple victims in different firms, according to Palo Alto Networks’ Unit 42 researchers.
The phishing campaign
The attack started earlier this year, with phishing emails that were received by roughly 20,000 users in European (including German and UK) companies in the automotive, chemical and industrial compound manufacturing sectors. The campaign peaked in June 2024.
The emails were made to look like a DocuSign request to review and sign a document, and contained either an attached DocuSign-enabled PDF file or an embedded HTML link.
Both directed victims to malicious HubSpot Free Form Builder links and to the following form:
The Free Form pointing to the phishing OWA page (Source: PAN Unit 42)
The researchers identified at least 17 working Free Forms. Clicking on the “View Document On Microsoft Secured Cloud” button led potential victims to a spoofed Microsoft Outlook Web App (OWA) login page, on different threat actor-controlled domains, with URLs using the target victim organization’s name.
Any entered login credentials were harvested by the threat actor.
Account takeover attempts
“The wording in the Free Form window (…) indicates that the phishing campaign is also targeting Microsoft accounts. We verified that the phishing campaign did make several attempts to connect to the victim’s Microsoft Azure cloud infrastructure, Unit 42 researchers noted.
By analyzing telemetry collected from victims, they discovered that the threat actor used the same hosting infrastructure for multiple targeted phishing operations, as well as for accessing compromised Microsoft Azure tenants during the account takeover operation.
“[This] suggests that the threat actor owned the hosted server instead of renting or subscribing to a shared ‘hosting’ service,” the researchers pointed out.
Armed with compromised credentials, the attacker occasionally used VPN proxies to simulate login attempts from the same country as the victim organization. They also added a new device to the victims’ account during the account takeover, in an attempt to achieve persistent access to the account, as well as initiated password resets.