Effective Phishing Campaign Targeting European Companies and Institutions

    Thursday, December 19, 2024 In: Threat Research Print

    Date: 12/19/2024

    Severity: Critical

    Summary

    The "Effective Phishing Campaign Targeting European Companies and Institutions" report details a phishing campaign aimed at harvesting credentials and compromising Microsoft Azure cloud infrastructure. Investigated by Unit 42, the campaign targeted European companies, particularly in Germany and the UK, peaking in June 2024. Fake forms created with HubSpot Free Form Builder were used to deceive victims. Around 20,000 users from industries such as automotive, chemical, and industrial manufacturing were affected. While the campaign began in June 2024, it will remain active until at least September 2024.

    Indicators of Compromise (IOC) List

    URL/Domain

    https://share-eu1.hsforms.com/1P_6IFHnbRriC_DG56YzVhw2dz72l

    https://share-eu1.hsforms.com/1UgPJ18suRU-NEpmYkEwteg2ec0io

    https://share-eu1.hsforms.com/12-j0Y4sfQh-4pEV6VKVOeg2dzmbq

    https://share-eu1.hsforms.com/1cJJXJ0NfTPOKwn23oAmmzQ2e901x

    https://share-eu1.hsforms.com/1wg25r1Z-R5GkhY6k-xGzOg2dvcv5

    https://share-eu1.hsforms.com/1G-NQN9DbSVmDy1HDeovJCQ2ebgc6

    https://share-eu1.hsforms.com/1AEc2-gS4TuyQyAiMQfB5Qw2e5xq0

    http://share-eu1.hsforms.com/1wg25r1Z-R5GkhY6k-xGzOg2dvcv5

    https://share-eu1.hsforms.com/1zP2KsosARaGzLqdj2Umk6Q2ekgty

    https://share-eu1.hsforms.com/1fnJ8gX6kR_aa5HlRyJhuGw2ec8i2

    https://share-eu1.hsforms.com/1QPAfZcocSuu3AnqznjU14A2eabj0

    https://share-eu1.hsforms.com/176T8k3N9Q562OEEfhS22Fg2ebzvj

    https://share-eu1.hsforms.com/18wO3Zb9hTIuittmhHvQFuQ2ec8gt

    https://share-eu1.hsforms.com/1vNr8tB1GS4mZuYg81ji3dg2e08a3

    https://share-eu1.hsforms.com/1qe8ypRpdTr284rkNpgmoow2ebzty

    https://share-eu1.hsforms.com/1C1IZ0_b-SD6YXS66alL4EA2e90m9

    https://technicaldevelopment.industrialization.buzz/?o0B=RLNT

    https://vigaspino.com/2doc5/index.php?submissionGuid=1d51a08d-cf55-4146-8b5b-22caa765ac85

    https://technicaldevelopment.rljaccommodationstrust.buzz/?WKg=2Ljv8

    https://purchaseorder.vermeernigeria.buzz/?cKg=C3&submissionGuid=4631b0c9-5e10-4d81-b1d6-4d01045907e7

    https://asdrfghjk3wr4e5yr6uyjhgb.mhp-hotels.buzz/?Nhv3zM=xI7Kyf

    https://purchaseorder.europeanfreightleaders.buzz/?Mt=zqoE&submissionGuid=476f32d0-e667-4a18-830b-f57a2b401fc3

    https://orderspecification.tekfenconstruction.buzz/?6BI=AmaPH&submissionGuid=e2ce33ea-ee47-4829-882c-592217dea521

    https://asdrfghjk3wr4e5yr6uyjhgb.mhp-hotels.buzz/?Nhv3zM=xI7Kyf

    https://d2715zbmeirdja.cloudfront.net/?__hstc=251652889.fcaff35c15872a69c6757196acd79173.1727206111338.1727206111338.1727206111338.1&__hssc=251652889.158.1727206111338&__hsfp=1134454612&submissionGuid=30359eaf-a821-472d-ba17-dd2bd0d96b96

    https://docusharepoint.fundament-advisory.buzz/?3aGw=Nl9

    https://wr43wer3ee.cyptech.com.au/oeeo4/ewi9ew/mnph_term=?/&submissionGuid=50aa078a-fb48-4fec-86df-29f40a680602

    http://orderconfirmation.dgpropertyconsultants.buzz/

    https://espersonal.org/doc0024/index.php?submissionGuid=6e59d483-9dc2-48f8-ad5a-c2d2ec8f4569

    https://vigaspino.com/2doc5/index.php?submissionGuid=093410a5-c228-4ddf-890c-861cdc6fe5d8

    https://technicaldevelopment.industrialization.buzz/?o0B=RLNT

    https://espersonal.org/doc0024/index.php?submissionGuid=96a9b82a-55d3-402d-9af4-c2c5361daf5c

    https://orderconfirmating.symmetric.buzz/?df=ZUvkMN&submissionGuid=e06a1f83-c24e-4106-b415-d2f43a06a048

    https://docs.doc2rprevn.buzz?username=

    https://docusharepoint.fundament-advisory.buzz/?3aGw=Nl9

    https://9qe.daginvusc.com/miUxeH/

    https://docs.doc2rprevn.buzz/?username=

    https://vomc.qeanonsop.xyz/?hh5=IY&username=ian@deloitte.es

    https://sensational-valkyrie-686c5f.netlify.app/?e=

    IP Address

    167.114.27.228

    144.217.158.133

    208.115.208.118

    13.40.68.32

    18.67.38.155

    91.92.245.39

    91.92.244.131

    91.92.253.66

    94.156.71.208

    91.92.242.68

    91.92.253.66

    188.166.3.116

    104.21.25.8

    172.67.221.137

    49.12.110.250

    74.119.239.234

    208.91.198.96

    94.46.246.46

    Hash

    b2ca9c6859598255cd92700de1c217a595adb93093a43995c8bb7af94974f067

f3f0bf362f7313d87fcfefcd6a80ab0f18bc6c5517d047be186f7b81a979ff91

deff0a6fbf88428ddef2ee3c4d857697d341c35110e4c1208717d9cce1897a21

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "https://share-eu1.hsforms.com/1wg25r1Z-R5GkhY6k-xGzOg2dvcv5" or url like "https://share-eu1.hsforms.com/1wg25r1Z-R5GkhY6k-xGzOg2dvcv5" or userdomainname like "https://asdrfghjk3wr4e5yr6uyjhgb.mhp-hotels.buzz/?Nhv3zM=xI7Kyf" or url like "https://asdrfghjk3wr4e5yr6uyjhgb.mhp-hotels.buzz/?Nhv3zM=xI7Kyf" or userdomainname like "https://espersonal.org/doc0024/index.php?submissionGuid=6e59d483-9dc2-48f8-ad5a-c2d2ec8f4569" or url like "https://espersonal.org/doc0024/index.php?submissionGuid=6e59d483-9dc2-48f8-ad5a-c2d2ec8f4569" or userdomainname like "https://d2715zbmeirdja.cloudfront.net/?__hstc=251652889.fcaff35c15872a69c6757196acd79173.1727206111338.1727206111338.1727206111338.1&__hssc=251652889.158.1727206111338&__hsfp=1134454612&submissionGuid=30359eaf-a821-472d-ba17-dd2bd0d96b96" or url like "https://d2715zbmeirdja.cloudfront.net/?__hstc=251652889.fcaff35c15872a69c6757196acd79173.1727206111338.1727206111338.1727206111338.1&__hssc=251652889.158.1727206111338&__hsfp=1134454612&submissionGuid=30359eaf-a821-472d-ba17-dd2bd0d96b96" or userdomainname like "https://share-eu1.hsforms.com/12-j0Y4sfQh-4pEV6VKVOeg2dzmbq" or url like "https://share-eu1.hsforms.com/12-j0Y4sfQh-4pEV6VKVOeg2dzmbq" or userdomainname like "https://share-eu1.hsforms.com/1G-NQN9DbSVmDy1HDeovJCQ2ebgc6" or url like "https://share-eu1.hsforms.com/1G-NQN9DbSVmDy1HDeovJCQ2ebgc6" or userdomainname like "http://share-eu1.hsforms.com/1wg25r1Z-R5GkhY6k-xGzOg2dvcv5" or url like "http://share-eu1.hsforms.com/1wg25r1Z-R5GkhY6k-xGzOg2dvcv5" or userdomainname like "https://share-eu1.hsforms.com/1QPAfZcocSuu3AnqznjU14A2eabj0" or url like "https://share-eu1.hsforms.com/1QPAfZcocSuu3AnqznjU14A2eabj0" or userdomainname like "https://orderspecification.tekfenconstruction.buzz/?6BI=AmaPH&submissionGuid=e2ce33ea-ee47-4829-882c-592217dea521" or url like "https://orderspecification.tekfenconstruction.buzz/?6BI=AmaPH&submissionGuid=e2ce33ea-ee47-4829-882c-592217dea521" or userdomainname like "http://orderconfirmation.dgpropertyconsultants.buzz/" or url like "http://orderconfirmation.dgpropertyconsultants.buzz/" or userdomainname like "https://docs.doc2rprevn.buzz/?username=" or url like "https://docs.doc2rprevn.buzz/?username=" or userdomainname like "https://share-eu1.hsforms.com/1cJJXJ0NfTPOKwn23oAmmzQ2e901x" or url like "https://share-eu1.hsforms.com/1cJJXJ0NfTPOKwn23oAmmzQ2e901x" or userdomainname like "https://technicaldevelopment.industrialization.buzz/?o0B=RLNT" or url like "https://technicaldevelopment.industrialization.buzz/?o0B=RLNT" or userdomainname like "https://share-eu1.hsforms.com/1P_6IFHnbRriC_DG56YzVhw2dz72l" or url like "https://share-eu1.hsforms.com/1P_6IFHnbRriC_DG56YzVhw2dz72l" or userdomainname like "https://technicaldevelopment.rljaccommodationstrust.buzz/?WKg=2Ljv8" or url like "https://technicaldevelopment.rljaccommodationstrust.buzz/?WKg=2Ljv8" or userdomainname like "https://share-eu1.hsforms.com/1UgPJ18suRU-NEpmYkEwteg2ec0io" or url like "https://share-eu1.hsforms.com/1UgPJ18suRU-NEpmYkEwteg2ec0io" or userdomainname like "https://share-eu1.hsforms.com/1AEc2-gS4TuyQyAiMQfB5Qw2e5xq0" or url like "https://share-eu1.hsforms.com/1AEc2-gS4TuyQyAiMQfB5Qw2e5xq0"

    Detection Query 2

    userdomainname like "https://share-eu1.hsforms.com/1zP2KsosARaGzLqdj2Umk6Q2ekgty" or url like "https://share-eu1.hsforms.com/1zP2KsosARaGzLqdj2Umk6Q2ekgty" or userdomainname like "https://share-eu1.hsforms.com/1fnJ8gX6kR_aa5HlRyJhuGw2ec8i2" or url like "https://share-eu1.hsforms.com/1fnJ8gX6kR_aa5HlRyJhuGw2ec8i2" or userdomainname like "https://share-eu1.hsforms.com/176T8k3N9Q562OEEfhS22Fg2ebzvj" or url like "https://share-eu1.hsforms.com/176T8k3N9Q562OEEfhS22Fg2ebzvj" or userdomainname like "https://share-eu1.hsforms.com/18wO3Zb9hTIuittmhHvQFuQ2ec8gt" or url like "https://share-eu1.hsforms.com/18wO3Zb9hTIuittmhHvQFuQ2ec8gt" or userdomainname like "https://share-eu1.hsforms.com/1vNr8tB1GS4mZuYg81ji3dg2e08a3" or url like "https://share-eu1.hsforms.com/1vNr8tB1GS4mZuYg81ji3dg2e08a3" or userdomainname like "https://share-eu1.hsforms.com/1qe8ypRpdTr284rkNpgmoow2ebzty" or url like "https://share-eu1.hsforms.com/1qe8ypRpdTr284rkNpgmoow2ebzty" or userdomainname like "https://share-eu1.hsforms.com/1C1IZ0_b-SD6YXS66alL4EA2e90m9" or url like "https://share-eu1.hsforms.com/1C1IZ0_b-SD6YXS66alL4EA2e90m9" or userdomainname like "https://vigaspino.com/2doc5/index.php?submissionGuid=1d51a08d-cf55-4146-8b5b-22caa765ac85" or url like "https://vigaspino.com/2doc5/index.php?submissionGuid=1d51a08d-cf55-4146-8b5b-22caa765ac85" or userdomainname like "https://purchaseorder.vermeernigeria.buzz/?cKg=C3&submissionGuid=4631b0c9-5e10-4d81-b1d6-4d01045907e7" or url like "https://purchaseorder.vermeernigeria.buzz/?cKg=C3&submissionGuid=4631b0c9-5e10-4d81-b1d6-4d01045907e7" or userdomainname like "https://asdrfghjk3wr4e5yr6uyjhgb.mhp-hotels.buzz/?Nhv3zM=xI7Kyf" or url like "https://asdrfghjk3wr4e5yr6uyjhgb.mhp-hotels.buzz/?Nhv3zM=xI7Kyf" or userdomainname like "https://purchaseorder.europeanfreightleaders.buzz/?Mt=zqoE&submissionGuid=476f32d0-e667-4a18-830b-f57a2b401fc3" or url like "https://purchaseorder.europeanfreightleaders.buzz/?Mt=zqoE&submissionGuid=476f32d0-e667-4a18-830b-f57a2b401fc3" or userdomainname like "https://docusharepoint.fundament-advisory.buzz/?3aGw=Nl9" or url like "https://docusharepoint.fundament-advisory.buzz/?3aGw=Nl9" or userdomainname like "https://wr43wer3ee.cyptech.com.au/oeeo4/ewi9ew/mnph_term=?/&submissionGuid=50aa078a-fb48-4fec-86df-29f40a680602" or url like "https://wr43wer3ee.cyptech.com.au/oeeo4/ewi9ew/mnph_term=?/&submissionGuid=50aa078a-fb48-4fec-86df-29f40a680602" or userdomainname like "https://vigaspino.com/2doc5/index.php?submissionGuid=093410a5-c228-4ddf-890c-861cdc6fe5d8" or url like "https://vigaspino.com/2doc5/index.php?submissionGuid=093410a5-c228-4ddf-890c-861cdc6fe5d8" or userdomainname like "https://espersonal.org/doc0024/index.php?submissionGuid=96a9b82a-55d3-402d-9af4-c2c5361daf5c" or url like "https://espersonal.org/doc0024/index.php?submissionGuid=96a9b82a-55d3-402d-9af4-c2c5361daf5c" or userdomainname like "https://orderconfirmating.symmetric.buzz/?df=ZUvkMN&submissionGuid=e06a1f83-c24e-4106-b415-d2f43a06a048" or url like "https://orderconfirmating.symmetric.buzz/?df=ZUvkMN&submissionGuid=e06a1f83-c24e-4106-b415-d2f43a06a048" or userdomainname like "https://docs.doc2rprevn.buzz?username=" or url like "https://docs.doc2rprevn.buzz?username=" or userdomainname like "https://docusharepoint.fundament-advisory.buzz/?3aGw=Nl9" or url like "https://docusharepoint.fundament-advisory.buzz/?3aGw=Nl9" or userdomainname like "https://9qe.daginvusc.com/miUxeH/" or url like "https://9qe.daginvusc.com/miUxeH/" or userdomainname like "https://vomc.qeanonsop.xyz/?hh5=IY&username=ian@deloitte.es" or url like "https://vomc.qeanonsop.xyz/?hh5=IY&username=ian@deloitte.es" or userdomainname like "https://sensational-valkyrie-686c5f.netlify.app/?e=" or url like "https://sensational-valkyrie-686c5f.netlify.app/?e="

    Detection Query 3

    dstipaddress IN ("91.92.244.131","91.92.253.66","94.156.71.208","144.217.158.133","13.40.68.32","188.166.3.116","91.92.245.39","208.91.198.96","167.114.27.228","208.115.208.118","18.67.38.155","91.92.242.68","91.92.253.66","104.21.25.8","172.67.221.137","49.12.110.250","74.119.239.234","94.46.246.46") or ipaddress IN ("91.92.244.131","91.92.253.66","94.156.71.208","144.217.158.133","13.40.68.32","188.166.3.116","91.92.245.39","208.91.198.96","167.114.27.228","208.115.208.118","18.67.38.155","91.92.242.68","91.92.253.66","104.21.25.8","172.67.221.137","49.12.110.250","74.119.239.234","94.46.246.46") or publicipaddress IN ("91.92.244.131","91.92.253.66","94.156.71.208","144.217.158.133","13.40.68.32","188.166.3.116","91.92.245.39","208.91.198.96","167.114.27.228","208.115.208.118","18.67.38.155","91.92.242.68","91.92.253.66","104.21.25.8","172.67.221.137","49.12.110.250","74.119.239.234","94.46.246.46") or srcipaddress IN ("91.92.244.131","91.92.253.66","94.156.71.208","144.217.158.133","13.40.68.32","188.166.3.116","91.92.245.39","208.91.198.96","167.114.27.228","208.115.208.118","18.67.38.155","91.92.242.68","91.92.253.66","104.21.25.8","172.67.221.137","49.12.110.250","74.119.239.234","94.46.246.46")

    Detection Query 4

    sha256hash IN ("b2ca9c6859598255cd92700de1c217a595adb93093a43995c8bb7af94974f067","f3f0bf362f7313d87fcfefcd6a80ab0f18bc6c5517d047be186f7b81a979ff91","deff0a6fbf88428ddef2ee3c4d857697d341c35110e4c1208717d9cce1897a21")

    Reference: 

    https://unit42.paloaltonetworks.com/european-phishing-campaign/      


    Tags

    PhishingCredential HarvestingEuropeCloud InfrastructureChemicalAutomotive IndustryCritical Manufacturing

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.