Security News > 2021 > March > Fake Google reCAPTCHA Phishing Attack Swipes Office 365 Passwords
Microsoft users are being targeted with thousands of phishing emails, in an ongoing attack aiming to steal their Office 365 credentials.
The attackers add an air of legitimacy to the campaign by leveraging a fake Google reCAPTCHA system and top-level domain landing pages that include the logos of victims' companies.
Once victims "Pass" the reCAPTCHA test, they are then redirected to a phishing landing page, which asks for their Office 365 credentials.
Another phishing attack in February purported to be sent from a voicemail service and contained a link to play the voice message "Play Audi Date.wav," eventually redirecting victims to a malicious site with a reCAPTCHA message.
Both of the above examples show that reCAPTCHA continues to be used in phishing attacks, as the tactic successfully adds legitimacy to the attack: "Similar phishing campaigns utilizing fake Google reCAPTCHAs have been observed for several years, but this specific campaign targeting executives across specific industry verticals started in December 2020," noted researchers.
Microsoft Office 365 users have faced several sophisticated phishing attacks and scams over the past few months.
News URL
https://threatpost.com/google-recaptcha-phishing-office-365/164566/
Related news
- Ongoing phishing attack abuses Google Calendar to bypass spam filters (source)
- Midnight Blizzard Escalates Spear-Phishing Attacks On Over 100 Organizations (source)
- Windows infected with backdoored Linux VMs in new phishing attacks (source)
- Google fixes two Android zero-days used in targeted attacks (source)
- Phishing-as-a-Service "Rockstar 2FA" Targets Microsoft 365 Users with AiTM Attacks (source)
- GenAI makes phishing attacks more believable and cost-effective (source)
- CERT-UA Warns of Phishing Attacks Targeting Ukraine’s Defense and Security Force (source)
- Inside the incident: Uncovering an advanced phishing attack (source)