Fake Google reCAPTCHA used in ongoing Microsoft 365 credential-phishing campaign

Beginning December 2020, the campaign primarily targets senior employees in the banking and IT sectors

Researchers at cyber security firm Zscaler claim to have uncovered a new phishing campaign that is using fake Google reCAPTCHA to steal Microsoft 365 credentials of senior-level employees at various organisations.

While fake CAPTCHA screens have been used before, according to the researchers, this credential-phishing campaign has been ongoing since December 2020 and primarily targets employees in the banking and IT sector.

CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a tool used by many websites to prevent spam. The tool enables the site to determine if the user trying to interact with a page is a human or a bot by asking them to complete a simple test.

CAPTCHA comes in a variety of forms, including image-based puzzle, text-based puzzle, or the usual "I'm not a robot" ReCAPTCHA.

Zscaler said that it has blocked over 2,500 phishing attacks over the past three months, targeting senior executives.

According to Zscaler's ThreatLabZ security research team, the campaign begins with cyber criminals sending phishing emails to potential victims. The message appears to come from the victim's unified communications tools and says that they have a voicemail attachment.

When users click on the malicious attachment, they are directed to a generic top level .xyz phishing domain, which is disguised as a Google reCAPTCHA system page in order to trick the users.

To proceed, the user must click the typical reCAPTCHA box with the message "I'm not a robot". Once the reCAPTCHA is verified, the user is directed to another page that appears to be a Microsoft login screen.

This page, which asks victims to enter their Microsoft 365 login credentials, also contains logos from the firms where the victims work - making the page look more legitimate.

After the victim enters the credentials on the page, another fake message "validation successful" appears, and users are shown the recording of a voicemail message, allowing the cyber gang to avoid suspicion.

According to the researchers, threat actors are also running phishing campaigns hosted using the .online and .club online generic top level domains, in which victims are asked to review secure documents and then tricked to enter their Microsoft 365 credentials into fake login pages.