editorially independent. We may make money when you click on links
to our partners.
Learn More
A new phishing campaign targeting HubSpot users is slipping past traditional email defenses by weaponizing trust in legitimate email platforms and compromised websites.
Evalian researchers found that the attack delivers a credential-stealing payload through fully authenticated emails that appear routine to unsuspecting recipients.
The techniques “… allowed the email to bypass secure email gateways (SEGs) due to their trusted reputation,” said researchers.
Phishing Through Legitimate Email Services
The phishing emails claim to originate from HubSpot and warn recipients of unusually high unsubscribe rates in their marketing campaigns — a message designed to prompt urgency without raising suspicion.
Rather than embedding a malicious URL in the email body, the attackers inserted the phishing link into the sender’s display name, a field often overlooked by secure email gateways.
According to the researchers, the attackers compromised a legitimate business email account. They then used MailChimp to distribute the messages at scale.
This allowed the emails to bypass spam filters due to the platform’s strong sender reputation and valid email authentication.
Inside the Phishing Attack Chain
The attack chain is designed to appear legitimate at every stage, minimizing user suspicion and evading automated defenses.
When a recipient clicks the link in the phishing email, they are first redirected through a compromised legitimate website, canvthis[.]com.
Using a real, previously trusted domain helps the attackers bypass reputation-based filtering and URL inspection, increasing the likelihood that the redirect will be allowed by secure web gateways.
From there, the user is forwarded to a phishing domain crafted to closely replicate the HubSpot login experience.
The page mirrors HubSpot’s branding, layout, and authentication flow, making it difficult for users to distinguish from the genuine portal.
This realism reduces hesitation and increases credential submission rates, particularly for users accustomed to frequent SaaS logins.
Once credentials are entered, they are exfiltrated via HTTP POST requests to an attacker-controlled backend.
Infrastructure analysis traced this backend to IP address 193[.]143[.]1[.]220, hosted within ASN AS198953 (Proton66 OOO), an autonomous system frequently associated with Russian bulletproof hosting.
Open-source intelligence indicates this infrastructure has been reused across multiple phishing campaigns, suggesting a repeatable, scalable operation rather than a one-off attack.
Further analysis of the host revealed common indicators of phishing infrastructure, including an auto-generated *.plesk[.]page hostname, publicly accessible Plesk administrative interfaces, and self-issued TLS certificates.
The server exposes a full mail stack — SMTP, IMAP, and ManageSieve — alongside multiple web and management ports.
This overexposed configuration enables attackers to rapidly stand up phishing pages, manage email delivery, and rotate domains or content with minimal friction, contributing to the campaign’s effectiveness and persistence.
Reducing Risk From Authenticated Email Attacks
Modern phishing campaigns increasingly abuse trusted infrastructure and authenticated email to evade traditional defenses.
As a result, preventing these attacks requires more than basic filtering or user awareness alone.
- Treat authenticated email as potentially malicious by inspecting sender display names, redirect chains, and non-standard URL placements.
- Monitor cloud email platforms and trusted sending services for anomalous behavior tied to legitimate domains.
- Correlate email, web, and identity telemetry to detect patterns such as phishing clicks followed by suspicious login activity.
- Hunt for phishing infrastructure indicators, including compromised legitimate sites, disposable hosting, Plesk-managed VPS hosts, and bulletproof ASNs.
- Reduce credential abuse by enforcing MFA or phishing-resistant authentication and applying conditional access for risky logins.
- Strengthen preparedness through user education, phishing simulations, and rapid response playbooks for suspected credential exposure.
Together, these controls help reduce risk by limiting credential exposure, improving detection of trusted-platform abuse, and strengthening organizational response to phishing-driven incidents.
When Trust Becomes the Attack Vector
This campaign reflects a broader shift in phishing tactics. Attackers are moving away from basic spoofing techniques and instead abusing reputable services and fully authenticated infrastructure.
By leveraging trusted platforms and legitimate domains, these campaigns exploit existing trust models to bypass technical controls and reach users more effectively.
As attackers increasingly exploit implicit trust in authenticated systems, these trends are reinforcing the need for zero-trust approaches that continuously verify users, devices, and access rather than relying on assumed legitimacy.
