reCAPTCHA phishing attack

A large scale phishing attack campaign has been utilising a fake Google reCAPTCHA system to attempt to steal Microsoft 365 credentials.

Google reCAPTCHA is one of their services designed to help protect websites from bots that spam and try to gain information. The system uses a Turing test to tell if the person is human or not. The most common test reCAPTCHA uses for example is selecting images that are correct based off of a given question (Click on the bikes out of these images, for example).

This phishing campaign Is targeting thousands of people via emails and notably more senior business people such as Managing Directors who will have more sensitive company data that cyber criminals could exploit such as banking credentials of HR information on employees.

To add legitimacy to the phishing emails being sent, Google reCAPTCHA  is being used so that the recipients would be less likely to believe it was a phishing email. After completing the reCAPTCHA they would then be taken to a fake landing page which included logos of the victim companies. From there they would be prompted to enter their Microsoft Office 365 credentials  which would take them nowhere and appear to be a stuck page. In fact, the details entered would go straight to the cyber criminals who organised the phishing attack to then be sold on or utilised themselves. It is reported that at least 2,500 of these sophisticated phishing emails have been sent to higher ups in companies.

This is not the first large scale attempt to harvest Office 365 credentials in recent times. Numerous other phishing attempts similar to the above are now common due to how high cyber criminals value these credentials. This is because one person’s Office 365 credentials gains access to many other systems such as Outlook email login for example.