More cybercriminals are using the reCaptcha test to their advantage in their phishing campaigns. That’s the test that ensures you’re not a robot before logging onto a website or submitting a form online.

Barracuda researchers say malicious hackers are using the reCaptcha test to block URL scanning services from accessing the phishing page content. Legitimate companies use the Google service to deter bots from scraping content.

The researchers uncovered one campaign with more than 128,000 emails using this reCaptcha test to obscure fake Microsoft login pages.

End users are familiar with solving reCaptcha tests. Therefore, malicious use of a real reCaptcha wall lends more credibility to the phishing site.

Jonathan Tanner is senior security researcher at Barracuda. He said the phishing masked by reCaptcha can put businesses of any size at risk.

Barracuda’s Jonathan Tanner

“It mainly aims at defeating automated URL scanning services from protecting users from receiving the phishing emails,” he said. “So, regardless of whether or not the company utilizes such security measures, the users would receive the same phishing attempts. If anything, it seeks to bring larger or more well-funded (in terms of security) businesses to the security level of those without such security measures. This specific phishing campaign was aimed at users of Microsoft mail products, which are used by companies of all sizes.”

The phishing emails used in the Microsoft campaign claim the user has received voicemail. The bad actors redirect users who solve the reCaptcha to the actual phishing page.

The phishing page spoofs the appearance of a common Microsoft login page.

It’s not clear whether the page’s appearance matches the user’s legitimate mail server. However, using some simple reconnaissance, the attacker could find this sort of information to make the phishing page even more convincing.

Working-from-Home Risk

People working from home might be more vulnerable to this technique, Tanner said. Network-based web traffic defenses won’t protect any user solving the reCaptcha, he said.

“The most likely detection and prevention method for this campaign would be detecting the email content itself as phishing, which would likely be in place regardless of whether the user was working remotely or not,” he said.

Some solutions that MSSPs and cybersecurity companies offer could help mitigate this attack, Tanner added.

“The best places to detect this sort of attack are through the email content itself (not relying on the URL, but rather the wording and headers of the email) or through analysis of all URLs users visit (should a user click through),” he said. “While the reCaptcha adds a layer of sophistication when it comes to evading URL analysis, the content of the emails reads like standard email phishing attempts, and could likely be detected by email protection capable of identifying such content as malicious.”

There are a number of techniques available to help distinguish phishing sites from legitimate ones, Tanner said. There may be subtle differences in content or structure that could be detected. However, this would require knowing all versions of legitimate pages being served, he said.

“This is perhaps why Microsoft email logins specifically are targeted so often despite actually trailing Gmail for Business in market share,” he said.