unit42.paloaltonetworks.com
Open in
urlscan Pro
23.56.206.30
Public Scan
URL:
https://unit42.paloaltonetworks.com/european-phishing-campaign/
Submission: On December 18 via api from TR — Scanned from FR
Submission: On December 18 via api from TR — Scanned from FR
Form analysis 1 forms found in the DOM
Name: Unit42_Subscribe — POST https://www.paloaltonetworks.com/apps/pan/public/formsubmithandler.submitform.json
<form action="https://www.paloaltonetworks.com/apps/pan/public/formsubmithandler.submitform.json" method="post" novalidate="" class="subscribe-form" name="Unit42_Subscribe" id="unit42footerSubscription_form">
<input type="hidden" name="emailFormMask" value="">
<input type="hidden" value="1086" name="formid">
<input type="hidden" value="531-OCS-018" name="munchkinId">
<input type="hidden" value="2141" name="lpId">
<input type="hidden" value="1203" name="programId">
<input type="hidden" value="1086" name="formVid">
<input type="hidden" name="mkto_optinunit42" value="true">
<input type="hidden" name="mkto_opt-in" value="true">
<div class="form-group">
<label for="newsletter-email" id="newsletter-email-label">Your Email</label>
<input type="emal" placeholder="Your Email" name="Email" class="subscribe-field" id="newsletter-email" aria-labelledby="newsletter-email-label">
<p class="error-mail mb-15 text-danger" style="color: #dc3545"></p>
<p>Subscribe for email updates to all Unit 42 threat research.<br>By submitting this form, you agree to our
<a title="Terms of Use" href="https://www.paloaltonetworks.com/legal-notices/terms-of-use" data-page-track="true" data-page-track-value="Get updates from Unit 42:Terms of Use">Terms of Use</a> and acknowledge our
<a title="Privacy Statement" href="https://www.paloaltonetworks.com/legal-notices/privacy" data-page-track="true" data-page-track-value="Get updates from Unit 42:Privacy Statement">Privacy Statement.</a></p>
<div class="g-recaptcha" data-expired-callback="captchaExpires" data-callback="captchaComplete" data-sitekey="6Lc5EhgTAAAAAJa-DzE7EeWABasWg4LKv-R3ao6o"></div>
<p class="error-recaptcha d-none mt-15 text-danger" style="color: #dc3545">Invalid captcha!</p>
<button class="l-btn is-disabled" data-page-track="true" data-page-track-value="footer:Get updates from Unit 42:Subscribe" id="unit42footerSubscription_form_button"> Subscribe <img class="lozad"
data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/right-arrow.svg" alt="Right Arrow">
<img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-loader.svg" alt="loader" class="loader">
</button>
<div class="form-success-message"></div>
</div>
</form>Text Content
Menu
* Tools
* ATOMs
* Security Consulting
* About Us
* Under Attack?
*
* About Unit 42
* Services
Services
Assess and Test Your Security Controls
* AI Security Assessment
* Attack Surface Assessment
* Breach Readiness Review
* BEC Readiness Assessment
* Cloud Security Assessment
* Compromise Assessment
* Cyber Risk Assessment
* M&A Cyber Due Diligence
* Penetration Testing
* Purple Team Exercises
* Ransomware Readiness Assessment
* SOC Assessment
* Supply Chain Risk Assessment
* Tabletop Exercises
* Unit 42 Retainer
Transform Your Security Strategy
* IR Plan Development and Review
* Security Program Design
* Virtual CISO
* Zero Trust Advisory
Respond in Record Time
* Cloud Incident Response
* Digital Forensics
* Incident Response
* Managed Detection and Response
* Managed Threat Hunting
* Unit 42 Retainer
UNIT 42 RETAINER
Custom-built to fit your organization's needs, you can choose to allocate
your retainer hours to any of our offerings, including proactive cyber risk
management services. Learn how you can put the world-class Unit 42 Incident
Response team on speed dial.
Learn more
* Unit 42 Threat Research
Unit 42 Threat Research
Unit 42 Threat Research
* Threat Briefs and Assessments
Details on the latest cyber threats
* Tools
Lists of public tools released by our team
* Threat Reports
Downloadable, in-depth research reports
THREAT REPORT
2024 Unit 42 Incident Response Report
Read now
THREAT BRIEF
Russia-Ukraine Cyberattacks: How to Protect Against Related Cyberthreats
Including DDoS, HermeticWiper, Gamaredon, Website Defacement
Learn more
THREAT REPORT
Highlights from the Unit 42 Cloud Threat Report, Volume 6
Learn more
* Partners
Partners
Partners
* Threat Intelligence Sharing
* Law Firms and Insurance Providers
THREAT REPORT
2022 Unit 42 Ransomware Threat Report: Understand trends and tactics to
bolster defenses
Learn more
THREAT BRIEF
Russia-Ukraine Cyberattacks: How to Protect Against Related Cyberthreats
Including DDoS, HermeticWiper, Gamaredon, Website Defacement
Learn more
THREAT BRIEF
Operation Falcon II: Unit 42 Helps Interpol Identify Nigerian Business Email
Compromise Ring Members
Learn more
* Resources
Resources
Resources
* Research Reports
* Webinars
* Customer Stories
* Datasheets
* Videos
* Infographics
* Whitepapers
* Cyberpedia
Industries
* Financial Services
* Healthcare
* Manufacturing
ANALYST REPORT
Unit 42® has been named a Leader in “The Forrester Wave™: Cybersecurity
Incident Response Services, Q2 2024.” Read the Forrester report to learn why.
Get the report
THREAT REPORT
Unit 42 Threat Frontier Report: Discover the latest insights on how threat
actors are leveraging GenAI to exploit vulnerabilities — and learn what steps
you can take to protect yourself.
Get the report
*
* Under Attack?
Search
All
* Tech Docs
Close search modal
* Threat Research Center
* Threat Research
* Business Email Compromise
Business Email Compromise
EFFECTIVE PHISHING CAMPAIGN TARGETING EUROPEAN COMPANIES AND INSTITUTIONS
10 min read
Related Products
Advanced DNS SecurityAdvanced URL FilteringAdvanced WildFireCloud-Delivered
Security ServicesCortexCortex XDRCortex XSIAMManaged Threat HuntingUnit 42
Incident Response
* By:
* Shachar Roitman
* Ohad Benyamin Maimon
* William Gamazo
* Published:December 18, 2024
* Categories:
* Business Email Compromise
* Threat Research
* Tags:
* CRM
* Docusign
* EMEA
* Germany
* HubSpot
* Malicious Domains
* Manufacturing
* Microsoft Azure
* MITRE
* Redirection
* United Kingdom
*
*
Share
*
*
*
*
*
*
*
EXECUTIVE SUMMARY
Unit 42 researchers recently investigated a phishing campaign targeting European
companies, including in Germany and the UK. Our investigation revealed that the
campaign aimed to harvest account credentials and take over the victim’s
Microsoft Azure cloud infrastructure.
The campaign’s phishing attempts peaked in June 2024, with fake forms created
using the HubSpot Free Form Builder service. Our telemetry indicates the threat
actor successfully targeted roughly 20,000 users across various European
companies.
Our investigation revealed that while the campaign appears to have begun in June
2024, the phishing campaign was still active as of September 2024. The campaign
targeted European companies in the following industries:
* Automotive
* Chemical
* Industrial compound manufacturing
Palo Alto Networks customers are better protected from the threats discussed in
this article through the following products and services:
* Advanced WildFire
* Advanced URL Filtering and Advanced DNS Security
* Cortex XDR and XSIAM
* Unit 42 Managed Services Team
If you think you might have been compromised or have an urgent matter, contact
the Unit 42 Incident Response team.
Related Unit 42 Topics Phishing, Malicious Domains, Microsoft Azure
THE PHISHING OPERATION
In June 2024, Unit 42 researchers identified a phishing campaign targeting at
least 20,000 European automotive, chemical and industrial compound manufacturing
users. The phishing emails contained either an attached Docusign-enabled PDF
file or an embedded HTML link directing victims to malicious HubSpot Free Form
Builder links embedded within phishing emails. HubSpot is a cloud-based customer
relationship management (CRM), marketing, sales and content management system
(CMS) operation platform.
Working with HubSpot security teams, we determined that HubSpot was not
compromised during this phishing campaign, nor were the Free Form Builder links
delivered to target victims via HubSpot infrastructure.
We reached out to Docusign and they responded with, “The trust, security and
privacy of our customers has always been at the core of Docusign’s business.
Since the time of this investigation, Docusign has implemented a number of
additional actions to strengthen our proactive preventative measures, which — to
date — have significantly decreased the number of signers receiving fraudulent
Docusign signature requests.”
Figure 1 shows a simplified diagram of the phishing operation. Attackers
sometimes used two levels of redirection to reach their credential harvesting
infrastructure.
Figure 1. Phishing operation flow.
Evidence showed that the threat actor targeted several phishing attempts toward
specific institutions. These phishing attempts came complete with thematic
dialogue specific to that organization’s brand and email address formatting.
Several malicious PDF attachments used the target organization’s name in the
file name, (i.e., CompanyName.pdf). Figure 2 shows an example of a malicious PDF
file mimicking a Docusign document.
Figure 2. Phishing lure theme.
Clicking “View Document” would redirect the victim to a Free Form with the
following URL format: https://share-eu1.hsforms[.]com/FORM-ID.
Figure 3 shows an example of a phishing attempt with embedded HTML.
Figure 3. Phishing embedded HTML.
Both the malicious PDF and HTML examples led victims to the Free Form window
shown in Figure 4 if they clicked through.
Figure 4. HubSpot Free Form.
The wording in the Free Form window “View Document on Microsoft Secured Cloud”
indicates that the phishing campaign is also targeting Microsoft accounts. We
verified that the phishing campaign did make several attempts to connect to the
victim’s Microsoft Azure cloud infrastructure.
Once the user clicked “View Document on Microsoft Secured Cloud,” they were
redirected to the threat actor’s credential harvesting pages. This page prompted
the victim to supply their login information for Microsoft Azure.
We also found evidence that this phishing campaign targeted users of European
organizations. Figure 5 below is an example of a phishing website designed to
target notaries in France.
Figure 5. Phishing targeting notary offices.
Although this phishing setup differs from the one we mentioned previously, we
found the attackers reused the same infrastructure. This infrastructure included
the registered first-level domain, which we’ll describe in more detail in a
later section.
A list of the Free Form URLs identified during this investigation is included in
the Indicators of Compromise section of this article.
IDENTIFYING SUSPICIOUS PHISHING EMAILS
By analyzing the phishing emails, we found two indicators helpful to identify
similar attacks. One was a tone of urgency, and the other was failing its
authentication checks.
Both of these are well-known phishing indicators, but due to their importance,
we have summarized each.
* Tone of urgency:
* Phishing emails often create urgency with phrases like “immediate action
required” to pressure quick responses
* Failed authentication checks:
* A “Fail” outcome for the Sender Policy Framework (SPF) means the sender’s
IP address is unauthorized to send emails on behalf of the domain,
suggesting possible spoofing
* A “Fail” outcome for DomainKeys Identified Mail (DKIM) indicates the
email’s digital signature was not verified, implying it could have been
altered or forged
* A “Temporary Error” for Domain-based Message Authentication, Reporting and
Conformance (DMARC) points to a short-term issue with domain alignment,
often due to server or DNS delays, weakening domain authentication.
Note: DMARC relies on successful SPF and DKIM checks to confirm domain
legitimacy, providing protection against spoofing and phishing.
In the snippet below, from the original mail attribute, we can see the
suspicious indicators mentioned above.
"Subject": "Completion Required XXXXXXXXX ", "AuthDetails": [ { "Name": "SPF",
"Value": "Fail" }, { "Name": "DKIM", "Value": "Fail" }, { "Name": "DMARC",
"Value": "Temporary error" }, ],
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
"Subject": "Completion Required XXXXXXXXX ",
"AuthDetails": [
{
"Name": "SPF",
"Value": "Fail"
},
{
"Name": "DKIM",
"Value": "Fail"
},
{
"Name": "DMARC",
"Value": "Temporary error"
},
],
Initial Access and Evasion Techniques
Adding their device to the authentication process allowed the threat actor to
make their logins appear to come from a trusted device. By using VPN proxies,
the threat actor’s login attempts originated from the same country as the victim
organization. However, Figure 6 shows that there were instances of login
attempts from previously blocked regions.
Figure 6. Impossible traveler - SSO alert information
Figure 7 provides an example of an alerting event in Cortex. These alerts
identify login events from uncommon or suspicious sources.
Figure 7. Impossible traveler - SSO alert details.
We also identified the use of a new Autonomous System Number (ASN) that had not
been seen in prior user activity. This added another layer of suspicion. Figure
8 shows another example of an alerting event that can notify security teams of
malicious login attempts.
Figure 8. First SSO access from ASN in organization alert details.
Finally, the threat actor employed unusual user-agent strings during their
connection attempts to the victim systems. An example of this custom user-agent
string from the phishing campaign was as follows:
Client=OWA;Action=ViaProxy
1
Client=OWA;Action=ViaProxy
THE PHISHING REDIRECTION
During the investigation, we identified at least 17 working Free Forms used to
redirect victims to different threat actor-controlled domains. The majority of
the identified domains were hosted at the top-level domain .buzz. Each of the
identified Free Forms contained a similar Microsoft Outlook Web App landing page
design and redirection pattern, shown in Figure 9.
Figure 9. Malicious Microsoft Outlook Web App landing page.
At the time of our investigation, the majority of the servers we identified that
were hosting phishing content used by the threat actor were offline. However, we
did find that two of these host servers were active, allowing us to collect the
phishing page source code. Both of the phishing source code samples that we
captured had the same structure.
The phishing code used a Base64-encoded URL designed for credential harvesting
and redirecting the victims to a Microsoft Outlook Web Access (OWA) login page.
Figure 10 shows a screenshot of the source code from the phishing page.
Figure 10. Microsoft OWA login page source code.
The sample source code revealed that the phishing links led victims to websites
using a URL that simulated the target victim organization’s name. The phishing
websites presented to the victim included their organization’s name followed by
the top-level domain .buzz (i.e., http[:]//www.acmeinc[.]buzz):
* hxxps://<victim>.buzz/doc0024/index.php
* hxxps://<victim>.buzz/2doc5/index.php
THE PHISHING INFRASTRUCTURE
The phishing campaign was hosted across various services, including Bulletproof
VPS hosts. This is a hosting service known for providing a high degree of
anonymity, lax enforcement of legal regulations and resistance to being shut
down. They are often associated with malicious operations, including phishing
operations.
One of the more interesting findings for us was the infrastructure clusters we
analyzed, from the compromised and targeted users we identified. By analyzing
telemetry collected from the victims, we found that the threat actor used the
same hosting infrastructure for multiple targeted phishing operations. They also
used this infrastructure for accessing compromised Microsoft Azure tenants
during the account takeover operation.
Figure 11 shows an example of such a cluster. The top line of the diagram, the
user layer, is indicated with the number 1. The victims are anonymized so as not
to identify the targeted and compromised users.
Figure 11. Threat actor’s infrastructure analysis diagram.
According to our telemetry, User A was compromised, resulting in their Microsoft
Azure tenant credentials also being exposed. Connections labeled with the word
access and indicated with the number 2 revealed that the threat actor used the
same phishing hosting infrastructure for network connection access to the
compromised user’s system.
The same infrastructure being used for both the phishing hosting infrastructure
as well as the direct connection to the victim environments suggests that the
threat actor owned the hosted server instead of renting or subscribing to a
shared “hosting” service.
The website forklog[.]com, indicated by the number 3 in the diagram, is an
online publication presented in both Russian and Ukrainian languages. The
contents of the publication focus on cryptocurrencies and blockchain
technologies. This domain was used by the threat actors within one of their
victim’s environments and points to a potential means of future victim targeting
or income generation.
We also found the compromised company associated with User A had a publicly
exposed control panel associated with a web hosting platform used to run and
automate cloud-based applications.
We found that the threat actor consistently scanned the control panel from the
same phishing infrastructure that deployed the phishing campaign redirection
hosts. We did not identify any successful attempts to access the control panel.
PERSISTENCE
During the account takeover, the threat actor added a new device to the victim’s
account. This allowed persistent access to the account, even as security efforts
were made to lock them out. Figure 12 displays an alert of suspicious resource
creation within the Microsoft Azure tenant.
Figure 12. Suspicious method addition to Azure account alert details.
When IT regained control of the account, the attacker immediately initiated a
password reset, attempting to regain control. This created a tug-of-war scenario
in which both parties struggled for control over the account. This resulted in
several additional alerts being triggered within the organization, shown in
Figure 13.
Figure 13. Azure Active Directory account unlock/successful password reset alert
details.
CONCLUSION
In this article, we reviewed a phishing campaign that targeted European
companies, including German and UK automakers and chemical manufacturing
organizations. Threat actors directed the phishing campaign to target the
victim’s Microsoft Azure cloud infrastructure via credential harvesting attacks
on the phishing victim’s endpoint computer. They then followed this activity
with lateral movement operations to the cloud.
The campaign’s phishing operation, which leveraged HubSpot Free Form builder
services, peaked in June 2024. We believe the threat actor successfully
compromised multiple victims in different companies across the targeted
countries.
Unit 42 researchers have an open dialogue with HubSpot in relation to the
phishing operations leveraging their services and have worked with them to
develop notifications and mitigation strategies. We have also worked with the
compromised organizations to ensure they have the resources they need to recover
from the phishing operation.
Detection and Mitigations
For Palo Alto Networks customers, our products and services provide the
following coverage associated with this group:
* Advanced WildFire cloud-delivered malware analysis service accurately
identifies the known samples as malicious.
* Advanced URL Filtering and Advanced DNS Security identify domains associated
with this group as malicious.
* Cortex XDR and XSIAM detect user and credential-based threats by analyzing
user activity from multiple data sources including endpoints, network
firewalls, Active Directory, identity and access management solutions, and
cloud workloads. Cortex builds behavioral profiles of user activity over time
with machine learning. By comparing new activity to past activity, peer
activity and the expected behavior of the entity, Cortex detects anomalous
activity indicative of credential-based attacks.
* Unit 42 Managed Detection and Response Service delivers continuous 24/7
threat detection, investigation and response/remediation to customers of all
sizes globally.
If you think you may have been compromised or have an urgent matter, get in
touch with the Unit 42 Incident Response team or call:
* North America Toll-Free: 866.486.4842 (866.4.UNIT42)
* EMEA: +31.20.299.3130
* APAC: +65.6983.8730
* Japan: +81.50.1790.0200
Palo Alto Networks has shared these findings, including file samples and
indicators of compromise, with our fellow Cyber Threat Alliance (CTA) members.
CTA members use this intelligence to rapidly deploy protections to their
customers and to systematically disrupt malicious cyber actors. Learn more about
the Cyber Threat Alliance.
APPENDIX
MITRE TECHNIQUES
Alert Name Alert Source ATT&CK Technique First SSO access from ASN in
organization XDR Analytics BIOC, Identity Analytics Valid Accounts: Domain
Accounts (T1078.002) First connection from a country in organization XDR
Analytics BIOC, Identity Analytics Compromise Accounts (T1586) Impossible
traveler - SSO XDR Analytics, Identity Analytics Compromise Accounts (T1586)
Suspicious authentication method addition to Azure account XDR Analytics,
Identity Analytics Persistence (TA0003) Azure AD account unlock/password reset
attempt XDR Analytics BIOC, Identity Analytics Persistence (TA0003) SSO with
abnormal user agent XDR Analytics BIOC, Identity Analytics Initial Access
(TA0001) Abnormal Communication to a Rare Domain XDR Analytics BIOC, Network
Analytics Command and Control (TA0011)
INDICATORS OF COMPROMISE
HUBSPOT FREE FORM URL LINKS
* hxxps://share-eu1.hsforms[.]com/1P_6IFHnbRriC_DG56YzVhw2dz72l
* hxxps://share-eu1.hsforms[.]com/1UgPJ18suRU-NEpmYkEwteg2ec0io
* hxxps://share-eu1.hsforms[.]com/12-j0Y4sfQh-4pEV6VKVOeg2dzmbq
* hxxps://share-eu1.hsforms[.]com/1cJJXJ0NfTPOKwn23oAmmzQ2e901x
* hxxps://share-eu1.hsforms[.]com/1wg25r1Z-R5GkhY6k-xGzOg2dvcv5
* hxxps://share-eu1.hsforms[.]com/1G-NQN9DbSVmDy1HDeovJCQ2ebgc6
* hxxps://share-eu1.hsforms[.]com/1AEc2-gS4TuyQyAiMQfB5Qw2e5xq0
* hxxp://share-eu1.hsforms[.]com/1wg25r1Z-R5GkhY6k-xGzOg2dvcv5
* hxxps://share-eu1.hsforms[.]com/1zP2KsosARaGzLqdj2Umk6Q2ekgty
* hxxps://share-eu1.hsforms[.]com/1fnJ8gX6kR_aa5HlRyJhuGw2ec8i2
* hxxps://share-eu1.hsforms[.]com/1QPAfZcocSuu3AnqznjU14A2eabj0
* hxxps://share-eu1.hsforms[.]com/176T8k3N9Q562OEEfhS22Fg2ebzvj
* hxxps://share-eu1.hsforms[.]com/18wO3Zb9hTIuittmhHvQFuQ2ec8gt
* hxxps://share-eu1.hsforms[.]com/1vNr8tB1GS4mZuYg81ji3dg2e08a3
* hxxps://share-eu1.hsforms[.]com/1qe8ypRpdTr284rkNpgmoow2ebzty
* hxxps://share-eu1.hsforms[.]com/1C1IZ0_b-SD6YXS66alL4EA2e90m9
PHISHING INFRASTRUCTURE URLS - LEVEL 1
* hxxps://technicaldevelopment.industrialization[.]buzz/?o0B=RLNT
* hxxps://vigaspino[.]com/2doc5/index.php?submissionGuid=1d51a08d-cf55-4146-8b5b-22caa765ac85
* hxxps://technicaldevelopment.rljaccommodationstrust[.]buzz/?WKg=2Ljv8
* hxxps://purchaseorder.vermeernigeria[.]buzz/?cKg=C3&submissionGuid=4631b0c9-5e10-4d81-b1d6-4d01045907e7
* hxxps://asdrfghjk3wr4e5yr6uyjhgb.mhp-hotels[.]buzz/?Nhv3zM=xI7Kyf
* hxxps://purchaseorder.europeanfreightleaders[.]buzz/?Mt=zqoE&submissionGuid=476f32d0-e667-4a18-830b-f57a2b401fc3
* hxxps://orderspecification.tekfenconstruction[.]buzz/?6BI=AmaPH&submissionGuid=e2ce33ea-ee47-4829-882c-592217dea521
* hxxps://asdrfghjk3wr4e5yr6uyjhgb.mhp-hotels[.]buzz/?Nhv3zM=xI7Kyf
* hxxps://d2715zbmeirdja.cloudfront[.]net/?__hstc=251652889.fcaff35c15872a69c6757196acd79173.1727206111338.1727206111338.1727206111338.1&__hssc=251652889.158.1727206111338&__hsfp=1134454612&submissionGuid=30359eaf-a821-472d-ba17-dd2bd0d96b96
* hxxps://docusharepoint.fundament-advisory[.]buzz/?3aGw=Nl9
* hxxps://wr43wer3ee.cyptech[.]com[.]au/oeeo4/ewi9ew/mnph_term=?/&submissionGuid=50aa078a-fb48-4fec-86df-29f40a680602
* hxxp://orderconfirmation.dgpropertyconsultants[.]buzz/
* hxxps://espersonal[.]org/doc0024/index.php?submissionGuid=6e59d483-9dc2-48f8-ad5a-c2d2ec8f4569
* hxxps://vigaspino[.]com/2doc5/index.php?submissionGuid=093410a5-c228-4ddf-890c-861cdc6fe5d8
* hxxps://technicaldevelopment.industrialization[.]buzz/?o0B=RLNT
* hxxps://espersonal[.]org/doc0024/index.php?submissionGuid=96a9b82a-55d3-402d-9af4-c2c5361daf5c
* hxxps://orderconfirmating.symmetric[.]buzz/?df=ZUvkMN&submissionGuid=e06a1f83-c24e-4106-b415-d2f43a06a048
PHISHING INFRASTRUCTURE URLS - LEVEL 2
* hxxps://docs.doc2rprevn[.]buzz?username=
* hxxps://docusharepoint.fundament-advisory[.]buzz/?3aGw=Nl9
* hxxps://9qe.daginvusc[.]com/miUxeH/
* hxxps://docs.doc2rprevn[.]buzz/?username=
* hxxps://vomc.qeanonsop[.]xyz/?hh5=IY&username=ian@deloitte.es
* hxxps://sensational-valkyrie-686c5f.netlify[.]app/?e=
IP ADDRESSES
* 167.114.27[.]228
* 144.217.158[.]133
* 208.115.208[.]118
* 13.40.68[.]32
* 18.67.38[.]155
* 91.92.245[.]39
* 91.92.244[.]131
* 91.92.253[.]66
* 94.156.71[.]208
* 91.92.242[.]68
* 91.92.253[.]66
* 188.166.3[.]116
* 104.21.25[.]8
* 172.67.221[.]137
* 49.12.110[.]250
* 74.119.239[.]234
* 208.91.198[.]96
* 94.46.246[.]46
PDFS
* (Zoomtan.pdf)
b2ca9c6859598255cd92700de1c217a595adb93093a43995c8bb7af94974f067
* (Belzona.pdf)
f3f0bf362f7313d87fcfefcd6a80ab0f18bc6c5517d047be186f7b81a979ff91
* (Pcc.pdf) deff0a6fbf88428ddef2ee3c4d857697d341c35110e4c1208717d9cce1897a21
XDR QUERIES
Cortex XDR queries to detect the presence of the operations explained within the
article can be found in the link on our GitHub.
POINTS TO CONSIDER DURING REMEDIATION
* Microsoft Entra ID consideration:
* Ensure that any compromised user's Microsoft Entra ID account is disabled
until any ongoing investigation and eradication operations are completed.
* Revoke users’ session:
* When marking a user as compromised in Azure Entra ID, using the “revoke
sessions” function, be aware that this action will not terminate active
sessions.
* Revoking sessions will only invalidate the Primary Refresh Token, allowing
the threat actor to maintain access until their current Access Token
expires, typically within 60-90 minutes.
* While you should still mark the user as compromised and revoke sessions to
prevent new access tokens from being issued, consider implementing
Continuous Access Evaluation to address this limitation and enhance
security by allowing real-time session management.
* Disable “Self-Service Tenant Creation”:
* This feature enables internal users to create a new tenant, which threat
actors may exploit to exfiltrate data.
Back to top
TAGS
* CRM
* Docusign
* EMEA
* Germany
* HubSpot
* Malicious Domains
* Manufacturing
* Microsoft Azure
* MITRE
* Redirection
* United Kingdom
Threat Research Center Next: LDAP Enumeration: Unveiling the Double-Edged Sword
of Active Directory
TABLE OF CONTENTS
*
* Executive Summary
* The Phishing Operation
* Identifying Suspicious Phishing Emails
* The Phishing Redirection
* The Phishing Infrastructure
* Persistence
* Conclusion
* Appendix
* MITRE Techniques
* Indicators of Compromise
* HubSpot Free Form URL Links
* Phishing Infrastructure URLs - Level 1
* Phishing Infrastructure URLs - Level 2
* IP Addresses
* PDFs
* XDR Queries
* Points To Consider During Remediation
RELATED ARTICLES
* Dirty DAG: New Vulnerabilities in Azure Data Factory’s Apache Airflow
Integration
* Network Abuses Leveraging High-Profile Events: Suspicious Domain
Registrations and Other Scams
* Threat Assessment: Ignoble Scorpius, Distributors of BlackSuit Ransomware
RELATED BUSINESS EMAIL COMPROMISE RESOURCES
Threat Research October 7, 2021
SILVERTERRIER – NIGERIAN BUSINESS EMAIL COMPROMISE
* SilverTerrier
* Law Enforcement
Read now
Threat Research September 30, 2021
CREDENTIAL HARVESTING AT SCALE WITHOUT MALWARE
* Credential Harvesting
Read now
Threat Research May 7, 2020
SILVERTERRIER: NEW COVID-19 THEMED BUSINESS EMAIL COMPROMISE SCHEMES
* COVID
* Syndicate Orion
* SilverTerrier
Read now
Threat Actor Groups November 14, 2024
FAKE NORTH KOREAN IT WORKER LINKED TO BEAVERTAIL VIDEO CONFERENCE APP PHISHING
ATTACK
* North Korea
* Lazarus
* BeaverTail
Read now
Threat Research September 24, 2024
INVESTIGATING INFRASTRUCTURE AND TACTICS OF PHISHING-AS-A-SERVICE PLATFORM
SNIPER DZ
* Phishing Kit
Read now
Threat Research September 11, 2024
PHISHING PAGES DELIVERED THROUGH REFRESH HTTP RESPONSE HEADER
* Phishing
Read now
Threat Research March 3, 2023
SPIKE IN LOKIBOT ACTIVITY DURING FINAL WEEK OF 2022
* Information stealer
* LokiBot
* Machine Learning
Read now
Threat Research May 25, 2022
OPERATION DELILAH: UNIT 42 HELPS INTERPOL IDENTIFY NIGERIAN BUSINESS EMAIL
COMPROMISE ACTOR
* Nigeria
* SilverTerrier
* Syndicate Orion
Read now
Threat Research January 19, 2022
OPERATION FALCON II: UNIT 42 HELPS INTERPOL IDENTIFY NIGERIAN BUSINESS EMAIL
COMPROMISE RING MEMBERS
* Nigeria
* SilverTerrier
* Syndicate Orion
Read now
Threat Research October 7, 2021
SILVERTERRIER – NIGERIAN BUSINESS EMAIL COMPROMISE
* SilverTerrier
* Law Enforcement
Read now
Threat Research September 30, 2021
CREDENTIAL HARVESTING AT SCALE WITHOUT MALWARE
* Credential Harvesting
Read now
Threat Research May 7, 2020
SILVERTERRIER: NEW COVID-19 THEMED BUSINESS EMAIL COMPROMISE SCHEMES
* COVID
* Syndicate Orion
* SilverTerrier
Read now
Threat Actor Groups November 14, 2024
FAKE NORTH KOREAN IT WORKER LINKED TO BEAVERTAIL VIDEO CONFERENCE APP PHISHING
ATTACK
* North Korea
* Lazarus
* BeaverTail
Read now
Threat Research September 24, 2024
INVESTIGATING INFRASTRUCTURE AND TACTICS OF PHISHING-AS-A-SERVICE PLATFORM
SNIPER DZ
* Phishing Kit
Read now
Threat Research September 11, 2024
PHISHING PAGES DELIVERED THROUGH REFRESH HTTP RESPONSE HEADER
* Phishing
Read now
Threat Research March 3, 2023
SPIKE IN LOKIBOT ACTIVITY DURING FINAL WEEK OF 2022
* Information stealer
* LokiBot
* Machine Learning
Read now
Threat Research May 25, 2022
OPERATION DELILAH: UNIT 42 HELPS INTERPOL IDENTIFY NIGERIAN BUSINESS EMAIL
COMPROMISE ACTOR
* Nigeria
* SilverTerrier
* Syndicate Orion
Read now
Threat Research January 19, 2022
OPERATION FALCON II: UNIT 42 HELPS INTERPOL IDENTIFY NIGERIAN BUSINESS EMAIL
COMPROMISE RING MEMBERS
* Nigeria
* SilverTerrier
* Syndicate Orion
Read now
Threat Research October 7, 2021
SILVERTERRIER – NIGERIAN BUSINESS EMAIL COMPROMISE
* SilverTerrier
* Law Enforcement
Read now
Threat Research September 30, 2021
CREDENTIAL HARVESTING AT SCALE WITHOUT MALWARE
* Credential Harvesting
Read now
Threat Research May 7, 2020
SILVERTERRIER: NEW COVID-19 THEMED BUSINESS EMAIL COMPROMISE SCHEMES
* COVID
* Syndicate Orion
* SilverTerrier
Read now
*
*
Get updates from Unit 42
PEACE OF MIND COMES FROM STAYING AHEAD OF THREATS. CONTACT US TODAY.
Your Email
Subscribe for email updates to all Unit 42 threat research.
By submitting this form, you agree to our Terms of Use and acknowledge our
Privacy Statement.
Invalid captcha!
Subscribe
PRODUCTS AND SERVICES
* Network Security Platform
* CLOUD DELIVERED SECURITY SERVICES
* Advanced Threat Prevention
* DNS Security
* Data Loss Prevention
* IoT Security
* Next-Generation Firewalls
* Hardware Firewalls
* Strata Cloud Manager
* SECURE ACCESS SERVICE EDGE
* Prisma Access
* Prisma SD-WAN
* Autonomous Digital Experience Management
* Cloud Access Security Broker
* Zero Trust Network Access
* Code to Cloud Platform
* Prisma Cloud
* Cloud-Native Application Protection Platform
* AI-Driven Security Operations Platform
* Cortex XDR
* Cortex XSOAR
* Cortex Xpanse
* Cortex XSIAM
* External Attack Surface Protection
* Security Automation
* Threat Prevention, Detection & Response
* Threat Intel and Incident Response Services
* Proactive Assessments
* Incident Response
* Transform Your Security Strategy
* Discover Threat Intelligence
COMPANY
* About Us
* Careers
* Contact Us
* Corporate Responsibility
* Customers
* Investor Relations
* Location
* Newsroom
POPULAR LINKS
* Blog
* Communities
* Content Library
* Cyberpedia
* Event Center
* Manage Email Preferences
* Products A-Z
* Product Certifications
* Report a Vulnerability
* Sitemap
* Tech Docs
* Unit 42
* Do Not Sell or Share My Personal Information
* Privacy
* Trust Center
* Terms of Use
* Documents
Copyright © 2024 Palo Alto Networks. All Rights Reserved
*
*
*
*
*
EN
* Select your language
* USA (ENGLISH)
Your browser does not support the video tag.
DEFAULT HEADING
Read the article
Seekbar
Volume
This site uses cookies essential to its operation, for analytics, and for
personalized content and ads. Please read our privacy statement for more
information.Privacy statement
Cookies Settings Reject All Accept All
Your Opt Out Preference Signal is Honored
PRIVACY PREFERENCE CENTER
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information on cookie consent
Allow All
MANAGE YOUR CONSENT PREFERENCES
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to
block or alert you about these cookies, but some parts of the site will not then
work. These cookies do not store any personally identifiable information.
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then
some or all of these services may not function properly.
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
Back Button
COOKIE LIST
Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
Reject All Confirm My Choices