Don't fall for a mail asking for rapid Docusign action – it may be an Azure account hijack phish

Unknown criminals went on a phishing expedition that targeted about 20,000 users across the automotive, chemical and industrial compound manufacturing sectors in Europe, and tried to steal account credentials and then hijack the victims' Microsoft Azure cloud infrastructure.

After taking over victims' accounts, the miscreants signed into new devices using stolen creds so they could maintain access to the cloud environment – and sensitive data therein.

Palo Alto Networks' Unit 42 researchers spotted the campaign, which peaked in June and remained active as of September.

While they can't attribute the attacks to a particular crew or individual, they did find both Ukrainian and Russian language websites linked to the attack infrastructure. "However we cannot determine the nature or rationale for these links," Unit 42 senior threat researcher Nathaniel Quist told The Register.

The threat hunters can't put an exact number on compromised victims, as the team was "only able to collect a handful of data regarding the countries and organizations," he added. "We have strong confidence that the targets were primarily based within the UK and Europe."

Unit 42 has seen an increase in attacks targeting cloud infrastructure, and these typically point toward data theft being the crooks' primary goal. Stolen information and credentials can then be used to extort a ransom payment from the victim org, or simply be sold on cyber crime marketplaces.

"During the investigation we found that primary actions taken by the actors were to establish persistence within the cloud environment," Quist explained. "They also made several failed attempts to access cloud storage and create new users. These actions could have a long tail strategic goal – however, they were blocked before successfully completing their objectives."

The attackers sent phishing emails that included a Docusign-enabled PDF file or an embedded HTML link directing victims to malicious HubSpot Free Form Builder. As Docusign’s purpose is gathering digital signatures on documents, the presence of such files creates a feeling of urgency that action is needed – classic social engineering bait that phishers love to employ.

Victims would end up at the HubSpot Free Form Builder, from which they would be redirected to the attackers' credential harvesting pages that mimic a Microsoft Outlook Web Access login page. This would prompt the victims to enter their email and password for Azure at which point the attackers steal them, gaining access to their cloud environments.

"We verified that the phishing campaign did make several attempts to connect to the victims' Microsoft Azure cloud infrastructure," Unit 42 researchers Shachar Roitman, Ohad Benyamin Maimon and William Gamazo wrote in a report published Wednesday.

At least 17 working Free Forms were used to redirect victims, we're told, and the researchers list these URLs in the report's Indicators of Compromise section.

• Phishers cast wide net with spoofed Google Calendar invites
• The only thing worse than being fired is scammers fooling you into thinking you're fired
• Crooks stole AWS credentials from misconfigured sites then kept them in open S3 bucket
• Russian spies may have moved in next door to target your network

Most of the infrastructure behind this campaign had been taken offline by the time Unit 42 started tracking the attacks, but the researchers found two active implementations, which allowed them to collect phishing-pace source code. It used a Base64-encoded URL for credential harvesting and redirecting the victims to an Outlook Web Access login page:

Some of the phishing infrastructure used providers that claim to provide resilient and secure anonymous hosting services. The attacker also used the same hosting infrastructure for multiple campaigns, and for accessing compromised Microsoft Azure tenants.

Quist assured us that the attackers were blocked before they could complete their evil deeds, there is no shortage of other phishing lures being cast into email inboxes.

Earlier this week, Check Point researchers reported they had spotted a financially motivated phishing campaign that sent 4,000 emails to more than 300 organizations over four weeks. This one spoofed Google Calendar emails for financial scams.

Considering that these phishes only work if they can elicit an urgent or emotional response in the targeted victims – such as responding to an employer's event invite or DocuSign file, reviewing a you're-fired notice, or weighing in on a return-to-work survey – it's always a good idea to think before you click. And always verify the sender's address and any URL contained in an email.

These crooks are always innovating, and while security products can help, the end user always plays a major role in preventing phishing attacks. ®