Unit 42 of Palo Alto Networks recently uncovered a phishing campaign targeting European companies to harvest victims’ account credentials and take over their Microsoft Azure cloud infrastructure. According to their report, the phishing attempts leveraging the HubSpot Free Form Builder service peaked in June 2024.

The researchers identified 18 domains and 17 IP addresses as indicators of compromise (IoCs) based on their in-depth analysis. The WhoisXML API research team expanded the IoC list in a bid to uncover other potentially connected artifacts. Note, however, that since two domain IoCs—cloudfront[.]net and hsforms[.]com—are owned by legitimate companies, we opted to exclude them from our expansion analysis. As a result, we were left with 33 IoCs—16 domains and 17 IP addresses. Our hunt for connected artifacts led to the discovery of:

• 16 email-connected domains
• Four additional IP addresses
• 185 IP-connected domains
• 289 string-connected domains

A sample of the additional artifacts obtained from our analysis is available for download from our website.

More Facts about the IoCs

First off, we sought to find more information about the 33 IoCs starting with a Bulk WHOIS Lookup query for the 16 domains tagged as IoCs. We discovered that only 14 of them had current WHOIS records.

• They were administered by four different registrars. NameSilo took the top spot with 11 domains. GMO Internet Group, Name.com, and PDR administered one domain each.

  

• They were created between 2011 and 2024. Specifically, 12 were created in 2024, while one domain each was created in 2011 and 2018.

  

• They were registered in three countries—12 in the U.S. and one each in Pakistan and Spain. Two domains did not have current registrant country data.

  

A query on DNS Chronicle API revealed that all 16 domains tagged as IoCs had historical IP resolutions. The domain cyptech[.]com[.]au had the oldest first IP resolution date—6 October 2019. It also had 41 IP resolutions over time. Altogether, the 16 domain IoCs had 1,432 IP resolutions so far. Take a look at the details for five other domains below.

Next, we queried the 17 IP addresses tagged as IoCs on Bulk IP Geolocation Lookup and found that:

• They were geolocated in five countries led by the Netherlands and the U.S., which accounted for six IP addresses each. Two IoCs each were geolocated in Canada and the U.K., while one originated from Germany.

  

• They were administered by nine ISPs led by NTT Global IP Network, which accounted for five IP addresses. Two IoCs each were administered by Amazon, Cloudflare, Endurance International Group, and OVHcloud. Finally, one IP address each was administered by DigitalOcean, Hetzner Online, Limestone Networks, and UK Dedicated Servers.

  

Our DNS Chronicle API query for the 17 IP addresses tagged as IoCs showed that all of them had 6,456 historical domain resolutions so far. The IP addresses 144[.]217[.]158[.]133, 167[.]114[.]27[.]228, 208[.]91[.]198[.]96, and 74[.]119[.]239[.]234 recorded the oldest first domain resolution date—4 October 2019. Take a look at specific details for five other IP address IoCs below.

The Hunt for Connected Artifacts

We began our search for connected artifacts with a WHOIS History API query for the 16 domains tagged as IoCs. We found that two of them had four email addresses in their historical WHOIS records after duplicates were filtered out. Three of them were public email addresses.

Only two of the public email addresses appeared in the current WHOIS records of other domains. One of them, however, could belong to a domainer, leaving us with only one email address for our analysis. The sole public email address left on our list was shared by 16 domains after duplicates and the IoCs were filtered out.

A DNS Lookup API query for the 16 domains tagged as IoCs revealed that five of them actively resolved to four IP addresses not yet identified as IoCs.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.