Microsoft Phishing Page Bypasses Automated Detection Using Captcha

According to this link, https://www.bleepingcomputer.com/news/security/microsoft-phishing-page-uses-captcha-to-bypass-automated-detection/, a new phishing campaign has been observed in the wild using captcha boxes to hide a fake Microsoft account login page from secure email gateways (SEGs).

  • The attackers were after credentials for Microsoft accounts and created a page that mimics the original for selecting an account and logging in
  • This is served after completing the human verification step. Needless to say that anything typed in the text fields is automatically sent to the attacker
  • According to the researchers, the email delivering the phishing link is from a compromised account from ‘avis.ne.jp‘ and pretends to be a notification for voicemail message
Subscribe
Notify of
guest
1 Expert Comment
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Javvad Malik
Javvad Malik , Security Awareness Advocate
InfoSec Expert
September 10, 2019 1:38 pm

This attack shows that when it comes to phishing attacks, technical controls alone are usually not enough and criminals will find a way to bypass them. Therefore, no matter what controls are in place, it\’s important to provide security awareness and training to users so that they can spot and report any suspicious emails.

Last edited 2 years ago by Javvad Malik
Information Security Buzz
1
0
Would love your thoughts, please comment.x
()
x