reCAPTCHA Phishing

12 November 2021 · Phishing


If you accidentally click on a phishing link in an email and see a page that asks if you’re a robot, please close the browser window and report the email through the Phish Alert Report button (if you've subscribed to this service).

Who’s Being Targeted

This round of attacks targets email addresses that had not received previous phishing emails.

Most phishing attacks use email addresses from breached user databases from websites such as Adobe,, Avast, CafePress, Canva, Facebook, LinkedIn. However, this week’s attacks do not seem to correspond to known third-party breaches. Instead, the targets may be part of a new breach or email contacts from previously-compromised email accounts.

Phishing Emails

The phishing emails use a combination of templates from previous attacks, including password expiration notices, HTML attachments, and voicemail alerts.

As always, be suspicious of any emails that have show an external notification or new contact warning, come as .html (Chrome, Edge, Firefox, or Safari icon), or have links to perform an “urgent” action.

Cat and Mouse Trend

Over the last year, more phishing emails started using encrypted link/email providers (including Adobe, Barracuda, and banks), ad services, and trusted file-sharing services (including Google and Microsoft SharePoint) to evade detection. However, as those providers added malicious link detection to their services, the criminals have gone back to basics by using simple reCAPTCHAs and redirecting their traffic through multiple servers.  

If you haven’t done so already, we recommend taking advantage of the advanced security features, such as Safe Links and Impersonation detection, which Microsoft has moved from its premium security services to its regular Microsoft 365 subscriptions.

We expect that this visual reCAPTCHA trend will fade away over the next few months because it uses an outdated version of reCAPTCHA. Most modern websites have moved to a transparent version that doesn’t require any user intervention. In addition, the actual phishing page uses an outdated Microsoft login background combined with publicly-sourced logos.  The technology behind this sort of login page is now publicly-available in cybercrime communities. At the end of an attack lifecycle, we typically see more gangs using it indiscriminately as we are now. 

Protect Your Business

Our clients have the following protections to avoid being caught by this sort of a phishing attack:
  1. Phishing simulations, including targeted spear-phishing simulations. While generic simulations typically net an 11% click-rate, properly-customized simulations that reflect real-world attacks have over half of users clicking a simulated malicious link and over a tenth providing their passwords
  2. Microsoft recently moved many of their advanced security protections to the basic and standard levels. If you aren't getting notifications about impersonations, first-time contacts, suspicious links, etc., you need to set these up right away.
  3. Customized alerts for internal, external, and partner emails
  4. Proper SPF and DMARC rules to identify and prevent emails being sent by attackers "from" your company
  5. Geographic access restrictions
  6. Multi-Factor Authentication
  7. Phish reporting and assessment add-on to Outlook, Outlook online, and Google
  8. Regular phishing trend notifications
  9. Customized rules to prevent users from receiving malicious attachments in HTML and outdated Microsoft Office formats
  10. Notifications and investigations for unusual email forwarding and other suspicious activities
  11. Investigations for logins from unusual locations
  12. Reconciliations of cloud logins and computer locations
  13. Application and operating system patching
  14. Breach detection and investigation
  15. External and internal vulnerability tests
  16. Full information security control assessments and remediations