Email Wolves in Trusted Clothing: Inside the HubSpot Phishing Campaign That Outsmarted Security

It began as a routine marketing notification - an email warning HubSpot users of unusual unsubscribe activity, urging them to verify their accounts. But this was no ordinary alert. Behind the familiar branding lurked a sophisticated phishing operation, one that deftly blended technical subterfuge with psychological manipulation. The attackers’ methods, recently dissected by Evalian’s Security Operations Centre, reveal a new era of cybercrime - where trust is weaponized and even the savviest defenses can be bypassed.

The anatomy of this attack reads like a cybercrime masterclass. Instead of stuffing emails with obvious malicious links, the hackers embedded their trap inside the sender’s display name - a field rarely scrutinized by secure email gateways. This subtlety allowed the phishing emails to slip past even well-configured defenses, as automated systems focused on scanning message bodies and attachments.

But the attack’s ingenuity didn’t stop there. The perpetrators had already compromised a legitimate MailChimp account via business email compromise (BEC), sending their messages from an authenticated, trusted source. As a result, critical anti-spoofing checks - SPF, DKIM, and DMARC - were all satisfied, further lowering the guard of recipients and automated filters alike.

For victims who clicked the disguised link, the journey took them through a compromised website (canvthis[.]com), seamlessly redirecting them to a nearly perfect clone of HubSpot’s login page. Here, any credentials entered were whisked away to a Russian server - specifically, infrastructure managed by Proton66 OOO, notorious for providing “bulletproof” hosting to cybercriminals. The server’s configuration bore all the hallmarks of disposable phishing operations: exposed administrative ports, outdated protocols, and auto-generated hostnames, all enabling rapid deployment and takedown cycles.

Security researchers traced the campaign’s infrastructure and found evidence of reuse across other phishing operations - suggesting a broader, service-based model for launching attacks. This marks a significant evolution: threat actors now operate with the efficiency of SaaS providers, leveraging trusted cloud platforms like MailChimp to scale their reach and evade blacklists.

The breach underscores a sobering truth for organizations: traditional defenses alone are no longer enough. With attackers exploiting trusted third-party platforms, security teams must now hunt for subtle infrastructure patterns, scrutinize cloud service activity, and - crucially - educate users to question even the most convincing digital facades.

As phishing campaigns become more insidious and infrastructure-as-a-service models proliferate, the battle for inbox trust intensifies. This HubSpot-themed attack is a stark reminder: in today’s cyber-threat landscape, even the safest-seeming messages may hide a wolf in sheep’s clothing.

WIKICROOK

• Business Email Compromise (BEC): Business Email Compromise (BEC) is a scam where criminals hack or impersonate business emails to trick companies into sending money to fraudulent accounts.
• Secure Email Gateway (SEG): A Secure Email Gateway filters and monitors emails to block threats such as phishing, malware, and spam, protecting organizations from email-based attacks.
• SPF, DKIM, DMARC: SPF, DKIM, and DMARC are protocols that authenticate emails, prevent spoofing, and verify the legitimacy of email senders.
• Bulletproof Hosting: Bulletproof hosting is a web hosting service that ignores abuse reports, letting criminals host illegal or malicious content with little risk of takedown.
• Credential Stealer: A credential stealer is malware designed to locate and steal passwords, digital keys, or authentication tokens from a victim’s computer or device.