Google reCAPTCHA Abused in Multiple Phishing Campaigns

Modus operandi

• First, the attackers send phishing emails laden with malicious attachments. These emails impersonate a unified communications system used to streamline corporate communication. 
• Once a victim clicks or opens the attached HTML file, they will be redirected to a .xyz phishing domain disguised as a genuine Google reCAPTCHA page in order to fool the users.
• After the reCAPTCHA is verified, victims are presented with a fake Microsoft login phishing page. A fake validation message is then shown to add legitimacy to the campaign.
• The attack cycle of these Microsoft phishing campaigns is hosted at .xyz, .club, and .online generic Top Level Domains (TLDs) and includes several other phishing domains used in these campaigns.

Use of generic TLDs

• .xyz TLD campaign: In this phishing campaign, attackers send a spam email that appears to have come from a unified communications system and laden with an HTML file as an attachment, purported to be a voicemail.
• .club TLD campaign: It follows the same attack pattern as the .xyz TLD phishing campaign; however it uses a fake Google reCAPTCHA, fraudulent Microsoft login screen, and ends by showing the user a hosted PDF file.
• .online TLD campaign: In this phishing campaign, attackers send a PDF file with the attached phishing campaign link, along with a directive that says “REVIEW SECURE DOCUMENT” to the users.

Conclusion