Thousands of users in Europe getting malicious emails with DocuSign-enabled PDFs


At least 20,000 users across various European companies have received phishing emails containing attached DocuSign-enabled PDF files or links to fake online forms. The hackers are after Microsoft accounts.

Palo Alto Networks’ cyber threats intelligence team Unit 42 is warning that a threat actor successfully compromised multiple victims in different companies.

The attackers are mostly targeting European companies, including German and UK automakers and chemical and industrial compound manufacturing organizations.

ADVERTISEMENT

Cybernews previously reported that hackers were using DocuSign phishing links that appeared highly authentic, and bypassed security solutions.

A new investigation by Unit 42 reveals that threat actors abuse legitimate services to chain redirections until the victim reaches the final credential harvesting infrastructure.

The current malicious campaign aims to harvest Microsoft account credentials to take over Azure cloud infrastructure. It appears to have begun and peaked in June and was still active as of September.

It begins with a phishing email, complete with “thematic dialogue specific to that organization’s brand and email address formatting.” Two things usually help identify the scam: a tone of urgency, created with phrases like “immediate action required,” and failed spam and authentication checks.

The phishing emails contained either an attached Docusign-enabled PDF file or an embedded HTML link.

fake-email

Those redirected victims to malicious forms made with the HubSpot Free Form Builder. Attackers abuse legitimate services to appear legitimate. HubSpot is a popular cloud-based platform for marketing, sales, customer relationship management, and others. DocuSign offers e-signature and document services.

The fake form only contained one question: is the user authorized to view a sensitive company document? The text on the button reads “View Document On Microsoft Secured Cloud.”

ADVERTISEMENT
fake-form-unit42

Researchers identified at least 17 different working Free Forms used to redirect victims to a different domain. They determined that HubSpot was not compromised during this phishing campaign.

After a few redirects between fake content on legitimate services, the victims usually end up on the threat actor’s credential harvesting page, which appears as a legitimate login form for Microsoft Azure.

“We verified that the phishing campaign did make several attempts to connect to the victim’s Microsoft Azure cloud infrastructure,” Unit 42 said in the report.

Hackers hide their tracks by making login attempts that appear to come from a trusted device. They use VPN proxies in the same country as the victim’s organization. The phishing campaign was hosted across various services, including Bulletproof VPS hosts. The same infrastructure was used for both phishing and accessing compromised Microsoft Azure accounts.

“During the account takeover, the threat actor added a new device to the victim’s account. This allowed persistent access to the account, even as security efforts were made to lock them out,” the researchers warn.

Apparently, as soon as IT regains control of the account, the attacker immediately initiates a password reset and attempts to regain control.

“This created a tug-of-war scenario in which both parties struggled for control over the account.”

DocuSign told Unit 42 that the company has implemented a number of additional actions to strengthen its proactive preventative measures. They have significantly decreased the number of signers receiving fraudulent Docusign signature requests.

Ernestas Naprys Niamh Ancell BW jurgita Konstancija Gasaityte profile
Don’t miss our latest stories on Google News
ADVERTISEMENT