Multiple Microsoft-themed phishing campaigns have been discovered that are using phony Google reCAPTCHA. In these, the attackers are looking for credentials of senior employees of various organizations. According to Zscaler’s report, the firm stopped more than 2,500 phishing emails that belonged to this campaign.

Modus operandi

The phishing campaigns have been active since December 2020 and largely focused on senior employees working in the banking sector. These phishing attacks are likely a part of a single coordinated campaign.
  • First, the attackers send phishing emails laden with malicious attachments. These emails impersonate a unified communications system used to streamline corporate communication. 
  • Once a victim clicks or opens the attached HTML file, they will be redirected to a .xyz phishing domain disguised as a genuine Google reCAPTCHA page in order to fool the users.
  • After the reCAPTCHA is verified, victims are presented with a fake Microsoft login phishing page. A fake validation message is then shown to add legitimacy to the campaign.
  • The attack cycle of these Microsoft phishing campaigns is hosted at .xyz, .club, and .online generic Top Level Domains (TLDs) and includes several other phishing domains used in these campaigns.

Use of generic TLDs

Across the entire duration, various TLDs were used for different attack campaigns:
  • .xyz TLD campaign: In this phishing campaign, attackers send a spam email that appears to have come from a unified communications system and laden with an HTML file as an attachment, purported to be a voicemail.
  • .club TLD campaign: It follows the same attack pattern as the .xyz TLD phishing campaign; however it uses a fake Google reCAPTCHA, fraudulent Microsoft login screen, and ends by showing the user a hosted PDF file.
  • .online TLD campaign: In this phishing campaign, attackers send a PDF file with the attached phishing campaign link, along with a directive that says “REVIEW SECURE DOCUMENT” to the users.


These attack campaigns, aimed at senior business leaders such as vice presidents and managing directors, indicate that the attackers are interested in sensitive data that requires a higher level of access. To protect against such threats, organizations are recommended to limit access to such accounts, as well as implement two-factor authentication.

Cyware Publisher