A new phishing campaign has been observed in the wild using captcha boxes to hide a fake Microsoft account login page from secure email gateways (SEGs).

Businesses use SEGs to protect against a wide variety of email-based attacks. They scan all messages, in or out, for malicious content and protect at least against malware and phishing threats.

Captcha blocks automated scanning

Captchas are challenge-based methods to determine if the user is human or a bot. Their purpose is to prevent abuse and are typically found on registration pages to prevent automated sign up action.

Ironically, the phishing campaign discovered by Cofense used this type of challenge to block automated URL analysis from processing the dangerous page.

"The SEG cannot proceed to and scan the malicious page, only the Captcha code site. This webpage doesn’t contain any malicious items, thus leading the SEG to mark it as safe and allow the user through." - Cofense

The attackers were after credentials for Microsoft accounts and created a page that mimics the original for selecting an account and logging in.

This is served after completing the human verification step. Needless to say that anything typed in the text fields is automatically sent to the attacker.

According to the researchers, the email delivering the phishing link is from a compromised account from 'avis.ne.jp' and pretends to be a notification for voicemail message.

A button promising to provide a preview of the alleged communication is embedded in the email; when clicked, it takes the victim to the page with the captcha code.

The researchers say that both the captcha and the phishing pages are hosted on the Microsoft infrastructure. As a result, they have legitimate top-level domains, which ensures no negative reaction from domain reputation databases, used by SEGs in their URL analysis process.

Ever creative cybercriminals find new ways to bypass security controls and exhibit social engineering tricks in their attempts to pass human inspection.

In past campaigns, fraudsters uses QR codes to redirect to phishing pages, a method that also flies under the radar of multiple security solutions

Another operation relied on email notifications about a Google Docs file being shared with the target. When users tried to open the document, they would see a fake 404 error and an instruction to download the file locally.

To make a different email-based scam more believable, threat actors used fake 2FA codes delivered via emails pretending to be from Instagram.

Related Articles:

LA County Health Services: Patients' data exposed in phishing attack

Google ad impersonates Whales Market to push wallet drainer malware

Cybercriminals pose as LastPass staff to hack password vaults

LabHost phishing service with 40,000 domains disrupted, 37 arrested

FIN7 targets American automaker’s IT staff in phishing attacks