HubPhish Targets Microsoft Cloud with Phishing Scams

Cybersecurity researchers have uncovered a phishing campaign called HubPhish. This scheme aims to steal account credentials and take over Microsoft Azure cloud systems. The attack targeted over 20,000 individuals working in the automotive, chemical, and industrial manufacturing sectors across Europe.

The phishing attacks peaked in June 2024. Attackers sent emails mimicking Docusign, enticing users to click on malicious links. These links redirected victims through legitimate-looking forms to a fake Microsoft Office 365 login page. Consequently, the attackers stole their credentials.

Notably, the legitimate tool was not compromised. Instead, attackers used its features to host fraudulent forms. Researchers identified 17 active phishing links leading to attacker-controlled domains, with many hosted on “.buzz” domains.

After obtaining credentials, attackers accessed victim accounts and added their own devices to ensure continued access. They expanded operations by moving laterally within the cloud infrastructure, targeting Microsoft Azure systems.

Moreover, the attackers enhanced their methods to avoid detection. They impersonated trusted services like SharePoint to deliver malware, including XLoader. Additionally, they exploited tools like Google Calendar and Google Drawings to bypass email security measures. For example, attackers embedded phishing links in meeting invites, fooling users and evading detection by email security systems.

Preventive Measures

Organizations can reduce phishing risks by implementing multi-factor authentication (MFA) for all accounts. Employee training on recognizing phishing attempts also helps prevent credential theft. Adjusting Google Calendar settings to accept invites only from known senders can block such attacks. Additionally, IT teams should frequently update email filters and monitor cloud access logs to detect suspicious activities.