A massive phishing campaign has compromised over 20,000 users across Europe’s industrial sectors, including automotive and chemical industries. Exploiting trusted tools like DocuSign and HubSpot Free Form Builder, the attackers crafted sophisticated schemes to harvest sensitive credentials, posing significant threats to critical infrastructure.
The attack involved phishing emails that enticed recipients with malicious PDF attachments or embedded HTML links. These links redirected victims to fake HubSpot Fre Form Builder pages, mimicking legitimate interfaces to harvest user credentials.
Despite the misuse of HubSpot’s platform, researchers confirmed that HubSpot’s infrastructure itself was not compromised.
DocuSign, another tool leveraged in the attack, responded by emphasising its commitment to security and detailing new measures that have significantly reduced fraudulent document requests.

Researchers discovered that the phishing emails were meticulously crafted, employing organisation-specific branding and formatting to deceive users. Malicious PDFs often contain filenames referencing the target company, such as “CompanyName.pdf.” Clicking the embedded “View Document” button led users to a fake HubSpot Free Form page that further redirected them to phishing sites designed to resemble Microsoft Azure login pages.
The campaign showed a high degree of geographic and thematic targeting. For instance, notaries in France were among the victims, receiving phishing messages in French tailored to their profession.
“Evidence showed that the threat actor targeted several phishing attempts toward specific institutions. These phishing attempts came complete with thematic dialogue specific to that organization’s brand and email address formatting,” researchers noted.

Researchers identified two key red flags in the phishing emails:
- Urgency: Messages pressured recipients with phrases like “immediate action required,” a hallmark of phishing schemes.
- Authentication failures: Emails failed Sender Policy Framework (SDF) and DomainKeys Identified Mail (DKIM) checks, indicating potential forgery. Temporary errors in Domain-based Message Authentication, Reporting, and Conformance (DMARC) further weakened email legitimacy.
To bypass detection, attackers employed various techniques, such as VPN Proxies and unusual user-agent strings to add another layer of obfuscation.
Investigations revealed that the attackers used 17 active HubSpot Free Forms and numerous domains under the .buzz top-level domains for phishing. these domains hosted fake Microsoft Outlook Web App pages designed to harvest credentials. The use of bulletproof hosting services — known for their anonymity and resistance to takedown requests — further facilitated the operation.
For persistence, attackers added devices to authenticate the process and initiate password resets to regain control.
Compromised organisations have received support to recover and bolster their defences.
In the News: CISA warns officials to use encrypted apps amid Chinese espionage concerns