Office 365 phishing page evades detection using Google captcha

A newly discovered phishing campaign makes the recipient solve captchas in an effort to both add some legitimacy to itself and evade detection systems.

Typically, captchas are a puzzle or a challenge that humans are made to solve to prove to a web server they are not an automated system (“robot”) accessing the server.

Use of captchas helps distinguish legitimate (human-initiated) traffic from automated bot traffic as the latter can have nefarious motives.

Captchas, therefore, help prevent security attacks – such as rogue pentesting bots by just fuzzing a website and Denial of Service (DoS).

But, what good would a phishing page achieve from making its victims solve captchas?

Evades automated security systems

Not only does the phishing campaign employ captchas to appear more legitimate to its recipients, but addition of captchas means bots can’t access the page.

While the term “bot” may have a negative connotation in this context, these also include automated security research tools looking to detect and deter such phishing campaigns.

Menlo Security analyzed such a phishing campaign that comprised a fake Microsoft Office 365 page.

Vinay Pidathala, Director of Security Research at Menlo Security explained in a blog post:

“To defeat automated crawling systems and ensure that a human is interacting with the page, the attackers put the credential phishing page behind layers of visual captchas, so the user would have to click the right set of images to ensure that they are not a bot,” providing screenshots.

“In addition to the first check, the attackers have designed two other captchas, in case the first one gets defeated by automated systems,” continued Pidathala.

Only after two different captchas are successfully solved by the victim, does the page redirect them to a final landing page.

This landing page is a Microsoft Office 365 login page-lookalike which tries to phish user’s credentials.

A phishing campaign such as this one may appear simple but it is in fact crafted with a very clever purpose in mind.

The addition of widely recognized Google reCaptcha used by many legitimate websites may trick a novice user into believing the authenticity of the phishing page.

But further, email gateways and web proxies that may have otherwise intercepted and blocked the final landing page are now rendered moot.

Because, for them to be able to analyze this page they need to solve the captcha, to prove they are human. The irony behind this setup is tough to miss.

As attackers constantly evolve their tactics when it comes to phishing campaigns, unsolved challenges keep growing for enterprise security customers and IT professionals alike.

There’s the challenge to support a large scale infrastructure that works flawlessly and delivers the business value that it’s designed for, yet there is an expectation to battle these kinds of novel phishing attacks from infiltrating corporate networks.

Staying up to date with the latest intel on cyberattacks, and being on the lookout for security tools equipped with this constantly evolving information are great ways to tackle these challenges.