Microsoft Phishing Page Bypasses Automated Detection Using Captcha

According to this link, https://www.bleepingcomputer.com/news/security/microsoft-phishing-page-uses-captcha-to-bypass-automated-detection/, a new phishing campaign has been observed in the wild using captcha boxes to hide a fake Microsoft account login page from secure email gateways (SEGs).

  • The attackers were after credentials for Microsoft accounts and created a page that mimics the original for selecting an account and logging in
  • This is served after completing the human verification step. Needless to say that anything typed in the text fields is automatically sent to the attacker
  • According to the researchers, the email delivering the phishing link is from a compromised account from ‘avis.ne.jp‘ and pretends to be a notification for voicemail message

Experts Comments

September 10, 2019
Javvad Malik
Security Awareness Advocate
KnowBe4
This attack shows that when it comes to phishing attacks, technical controls alone are usually not enough and criminals will find a way to bypass them. Therefore, no matter what controls are in place, it's important to provide security awareness and training to users so that they can spot and report any suspicious emails.

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.