Thousands of users across Europe are receiving malicious emails containing DocuSign-enabled PDF attachments.

Palo Alto Networks’ cyber threat intelligence team, Unit 42, is raising alarms over a threat actor that has successfully compromised multiple victims across various organizations.

The attackers are primarily targeting European companies, including German and UK automakers, as well as chemical and industrial compound manufacturing organizations.

Cyberkitera previously reported that hackers were leveraging DocuSign phishing links that appeared highly authentic and bypassed many security solutions.

A new investigation by Unit 42 reveals that threat actors are abusing legitimate services to create redirections, ultimately leading victims to credential harvesting infrastructure.

The malicious campaign focuses on harvesting Microsoft account credentials to take control of Azure cloud infrastructure. It appears to have started and peaked in June, remaining active as of September.

The attack begins with a phishing email crafted with “thematic dialogue specific to the target organization’s brand and email formatting.” Typically, two red flags give away the scam: a tone of urgency created with phrases like “immediate action required,” and failed spam and authentication checks.

The phishing emails contained either an attached DocuSign-enabled PDF file or an embedded HTML link.

These links redirected victims to malicious forms created using the HubSpot Free Form Builder. Attackers exploit legitimate services to appear credible.

HubSpot, a widely-used cloud platform for marketing, sales, and customer relationship management, and DocuSign, known for its e-signature and document services, were both exploited in this campaign.

The fake form included a single question: whether the user was authorized to view a sensitive company document. The button text read: “View Document On Microsoft Secured Cloud.”

Researchers identified at least 17 different Free Forms actively redirecting victims to other domains. However, they confirmed that HubSpot was not compromised in the attack.

After multiple redirects using fake content hosted on legitimate platforms, victims landed on the threat actor’s credential harvesting page, which mimicked a legitimate Microsoft Azure login form.

“We verified that the phishing campaign made several attempts to connect to the victim’s Microsoft Azure cloud infrastructure,” Unit 42 reported.

Hackers obscured their activities by making login attempts appear as though they came from trusted devices, using VPN proxies located in the same country as the victim’s organization. The campaign relied on various services, including Bulletproof VPS hosts, for hosting both the phishing attacks and access to compromised Azure accounts.

“During the account takeover, the threat actor added a new device to the victim’s account, enabling persistent access even as security measures were implemented to block them,” researchers warned.

In many cases, as soon as IT teams regained control of the account, attackers initiated password resets in an effort to reclaim access.

“This created a tug-of-war scenario, with both parties struggling for control over the account,” the report noted.

DocuSign informed Unit 42 that they have implemented additional measures to strengthen proactive prevention. These efforts have significantly reduced the number of fraudulent DocuSign signature requests being received by users.