Microsoft Office 365 Phishing Attack Uses Multiple CAPTCHAs

CAPTCHA phishing attack microsoft office 365

Cybercriminals set up three different CAPTCHAs that Office 365 targets must click through before the final phishing page.

Researchers are warning of an ongoing Office 365 credential-phishing attack that’s targeting the hospitality industry – and using visual CAPTCHAs to avoid detection and appear legitimate.

CAPTCHAs – commonly utilized by websites like LinkedIn and Google – are a type of challenge–response test used to determine whether or not the user is human, such as clicking on the parts of a grid that have a specific object pictured. Cybercriminals have previously utilized CAPTCHAs as a way to defeat automated crawling systems, ensure that a human is interacting with the page and make the phishing landing page appear legitimate.

Though the use of CAPTCHAS in phishing  attacks is nothing groundbreaking, this attack shows that the technique works – so much so that the attackers in this campaign used three different CAPTCHA checks on targets, before finally bringing them to the phishing landing page, which poses as a Microsoft Office 365 log-in page.

“Two important things are happening here,” said researchers with Menlo Security, in a post this week. “The first is that the user is made to think that this is a legitimate site, because their cognitive bias has trained them to believe that checks like these appear only on benign websites. The second thing this strategy does is to defeat automated crawling systems attempting to identify phishing attacks.”

Menlo Security’s Director of Security Research, Vinay Pidathala, told Threatpost said that researchers are unsure of how many users were specifically targeted, however, the industries targeted by this campaign were primarily technology, insurance, and finance and banking.

CAPTCHA phishing office 365 attack

One of the CAPTCHAs presented during the attack. Credit: Menlo Security

The multiple CAPTCHAs serve as backups, in case the first one gets defeated by automated systems, said researchers.

In the first CAPTCHA check, targets are simply asked to check a box that says “I’m not a robot.”

After that, they are then taken to a second CAPTCHA that requires them to select for instance all the picture tiles that match bicycles, followed by a third CAPTCHA asking them to identify, say, all the pictures that match a crosswalk. Attackers also do not use the same CAPTCHAs – researchers said, during their testing they came across at least four different images utilized.

Finally, after passing all these checks, the target is taken to the final landing page, which impersonates an Office 365 log-in page, in an attempt to steal the victims’ credentials.

CAPTCHA phishing office 365 attack

The Office 365 phishing landing page. Credit: Menlo Security

As mentioned above, cybercriminals have relied on previous phishing attacks that leverage CAPTCHA systems to appear legitimate. For instance, a May phishing attack pretended to deliver subpoenas but actually was stealing user’s Office 365 credentials. And, in 2019, a phishing scam was found peddling malware, using a fake Google reCAPTCHA system to mask its malicious landing page.

Pidathala told Threatpost that researchers did not have insight into the lure used in the email campaign. However, “looking at our global customer telemetry, we think the campaign started on September 21, 2020,” he said. “We believe that the campaign is currently active and ongoing, although the probability of success might have decreased as security vendors would have hopefully added protections for this campaign by now.”

Researchers said, the attack shows that cybercriminals continue to switch up their tactics when it comes to phishing and email based attacks. Indeed, just in the past week, researchers have warned of innovative phishing techniques such leveraging OAuth2 or other token-based authorization methods, for instance, or phishing emails pretending to be Windows 7 upgrades.

“Phishing is the most prevalent attack vector affecting enterprises,” said researchers. “These attacks take advantage of our inherent cognitive biases and fool us into entering our credentials. That bias, combined with the tactics used by attackers, make these attacks very successful.”

On October 14 at 2 PM ET get the latest information on the rising threats to retail e-commerce security and how to stop them. Register today for this FREE Threatpost webinar, “Retail Security: Magecart and the Rise of e-Commerce Threats.” Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this LIVE webinar.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.