Targeted Phishing Attack Strikes HubSpot Users
Evalian’s Security Operations Centre has discovered a sophisticated phishing campaign targeting HubSpot customers, which combines business email compromise (BEC) tactics with website compromise to distribute a credential-stealing malware to unsuspecting users.
The multi-layered attack demonstrates the evolving techniques of modern threat actors to bypass traditional email security controls.
The phishing campaign employs a deceptive approach, leveraging both compromised legitimate infrastructure and spoofed communications to trick victims.
Attackers sent emails impersonating HubSpot, urging recipients to verify their accounts due to unusual unsubscribe activity, in an attempt to steal their credentials.
What makes this attack particularly noteworthy is that the URLs within the email body were not malicious; instead, the threat actors embedded a phishing URL directly into the sender’s display name, a technique designed to evade email security gateways that typically focus on link analysis rather than sender metadata scrutiny.
The sophistication of the attack extends further through the use of business email compromise to control a legitimate email address, which attackers then leveraged through MailChimp, a popular email marketing platform, to distribute the campaign at scale.
This approach allowed the phishing email to bypass secure email gateways due to the trusted reputation of both the compromised domain and MailChimp’s infrastructure.
Credential Stealer Infrastructure
Investigation into the malicious infrastructure revealed that a legitimate website, canvthis[.]com, had been compromised and configured to redirect users to a credential stealer hosted at hxxps://hubspot-campaigns[.]com/login.
The fake login page is visually convincing, closely mimicking the genuine HubSpot login portal, and when users entered credentials, the information was transmitted to a login.php file on infrastructure hosted in Saint Petersburg, Russia.

The hosting infrastructure traces back to Proton66 OOO (ASN AS198953), a Russian bulletproof hosting service with a well-documented history of facilitating phishing campaigns.
OSINT analysis revealed that this same IP address has been linked to multiple other attempted phishing campaigns, indicating infrastructure reuse across different threat actors or campaigns.
The compromised server exhibits characteristics typical of hastily deployed phishing infrastructure, hosted on a Plesk-managed virtual private server with an auto-generated hostname (*.plesk[.]page).
The system exposes a complete mail stack, including Postfix and Dovecot, alongside publicly accessible Plesk administrative panels, and uses self-issued TLS certificates, maintaining exposed SMTP, IMAP, and submission services with legacy authentication methods.
Port scanning reveals a vast attack surface, including DNS (53), SSH (22), HTTP/HTTPS (80/443), and multiple Plesk interfaces (8443, 8880).

This campaign highlights the limitations of relying solely on email authentication protocols, as SPF, DKIM, and DMARC prevent message forgery at the SMTP level but do not guarantee message safety.
The over-exposed configuration is characteristic of generic VPS templates commonly abused for short-lived phishing campaigns, enabling rapid deployment of phishing pages and quick infrastructure rotation.
Implications for Email Security
Threat actors are increasingly exploiting legitimate third-party email services like MailChimp, SendGrid, and Salesforce, bypassing authentication checks by abusing trusted platforms.
For security operations teams, the attack highlights the need to move beyond simple domain blocking and instead focus on hunting for infrastructure patterns, monitoring cloud email providers, analyzing TLS artifacts, and implementing user education programs that encourage skepticism toward even polished communications.
The campaign represents a significant evolution in phishing sophistication, combining brand impersonation with infrastructure-as-a-service to scale attacks efficiently while remaining ahead of basic defenses.