Phishers leverage Captcha code to bypass email security gateway

• The captcha technique is used to prove human presence while preventing any red flags from the email security gateway.
• The attack is initiated by sending a phishing email from a compromised account ‘@avis.ne.jp’.

Phishing threat actors have now found a new technique to bypass the secure email gateway(SEG). This time, they are using the Captcha to prove human presence, while preventing any red flags from the email security gateway.

How does it work?

Discovered by researchers from Cofense, the attack is initiated by sending a phishing email from a compromised account ‘@avis.ne.jp’. The email pretends is disguised as a notification for a voicemail message.

The victim is asked to preview the alleged communication by clicking on a button included in the email. This button, when clicked, takes the victim to the page with the Captcha code.

“This button is in fact an embedded hyperlink that will redirect the recipient to a page that contains a Captcha code to prove the victim is a human and not an automated analysis tool or, as Google puts it, “a robot.” It’s at this point that the SEG validation would fail,” researchers added.

Worth noting

The researchers note that both the captcha and phishing pages are hosted on the Microsoft infrastructure. As a result, they have legitimate top-level domains, ensuring no detection by SEGs during their URL analysis process.

“The SEG cannot proceed to and scan the malicious page, only the Captcha code site. This webpage doesn’t contain any malicious items, thus leading the SEG to mark it as safe and allow the user through,” explained the researchers.

What next?

Once the human verification is complete, the recipient is redirected to an actual phishing page. In this case, the phishing page imitates the Microsoft account selector and login page. The phishing page is meant to capture login credentials entered by victims.

Other creative campaigns

This is not the first time that the cybercriminals have come up with an innovative way to bypass security controls. In past campaigns, fraudsters have used QR codes, fake 2FA code and Google Docs to redirect victims to phishing pages.