News

Office 365 phishing page evades detection using Google captcha

A newly discovered phishing campaign makes the recipient solve captchas in an effort to both add some legitimacy to itself and evade detection systems.

Typically, captchas are a puzzle or a challenge that humans are made to solve to prove to a web server they are not an automated system (“robot”) accessing the server.

Use of captchas helps distinguish legitimate (human-initiated) traffic from automated bot traffic as the latter can have nefarious motives.

Captchas, therefore, help prevent security attacks – such as rogue pentesting bots by just fuzzing a website and Denial of Service (DoS).

But, what good would a phishing page achieve from making its victims solve captchas?

Evades automated security systems

Not only does the phishing campaign employ captchas to appear more legitimate to its recipients, but addition of captchas means bots can’t access the page.

While the term “bot” may have a negative connotation in this context, these also include automated security research tools looking to detect and deter such phishing campaigns.

Menlo Security analyzed such a phishing campaign that comprised a fake Microsoft Office 365 page.

Vinay Pidathala, Director of Security Research at Menlo Security explained in a blog post:

“To defeat automated crawling systems and ensure that a human is interacting with the page, the attackers put the credential phishing page behind layers of visual captchas, so the user would have to click the right set of images to ensure that they are not a bot,” providing screenshots.

Image: Google reCaptcha integrated with phishing spam


“In addition to the first check, the attackers have designed two other captchas, in case the first one gets defeated by automated systems,” continued Pidathala.

Only after two different captchas are successfully solved by the victim, does the page redirect them to a final landing page.

This landing page is a Microsoft Office 365 login page-lookalike which tries to phish user’s credentials.

Image: Office 365 phishing page loads after captcha challenges are solved

A phishing campaign such as this one may appear simple but it is in fact crafted with a very clever purpose in mind.

The addition of widely recognized Google reCaptcha used by many legitimate websites may trick a novice user into believing the authenticity of the phishing page.

But further, email gateways and web proxies that may have otherwise intercepted and blocked the final landing page are now rendered moot.

Because, for them to be able to analyze this page they need to solve the captcha, to prove they are human. The irony behind this setup is tough to miss.

As attackers constantly evolve their tactics when it comes to phishing campaigns, unsolved challenges keep growing for enterprise security customers and IT professionals alike.

There’s the challenge to support a large scale infrastructure that works flawlessly and delivers the business value that it’s designed for, yet there is an expectation to battle these kinds of novel phishing attacks from infiltrating corporate networks.

Staying up to date with the latest intel on cyberattacks, and being on the lookout for security tools equipped with this constantly evolving information are great ways to tackle these challenges.

Ax Sharma

Ax Sharma is an Indian-origin British security researcher, journalist and TV subject matter expert with a focus on malware analysis and cybercrime investigations. His areas of interest include open source software security, threat intel analysis, and reverse engineering. Frequently featured by leading media outlets like the BBC, Channel 5, Fortune, WIRED, The Register, among others, Ax is an active community member of the OWASP Foundation and the British Association of Journalists (BAJ).

Recent Posts

Sea Turtle Cyber Espionage Campaign Targets Telecommunication and IT Companies in the Netherlands

Telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the…

11 months ago

Rogue WordPress plugin: Threat hunters uncover credit card skimming campaign targeting e-commerce sites

Rogue WordPress Plugin Found to Steal Credit Card Information in Magecart Campaign Threat hunters have…

11 months ago

Albanian Parliament and telco ‘One Albania’ suffer cyber attacks

The Assembly of the Republic of Albania and telecom company One Albania have recently fallen…

11 months ago

Carbanak Banking Malware Resurfaces with Updated Tactics in Ransomware Attacks

The banking malware Carbanak has resurfaced with updated tactics, incorporating attack vendors and techniques to…

11 months ago

Theme park giant Parques Reunidos hit by a ransomware cyber attack

One of the world's largest theme park operators, Parques Reunidos has disclosed a cybersecurity incident.…

2 years ago

Phishing kit screenshots your email domain on the fly to appear real

Phishing kit used by multiple hacked sites generates a log in page on the fly…

2 years ago

This website uses cookies.